更新证书

更新 Redis Enterprise 集群中的证书。

Redis 企业软件
警告:
更新证书时,新证书将替换集群中所有节点上的相同证书。

如何更新证书

您可以使用rladmin命令行界面 (CLI) 或 REST API 更新证书。Cluster Manager UI 允许您在 Cluster > Security > Certificates 屏幕上更新代理和同步器证书。

客户端下次连接到数据库时将使用新证书。

升级 Redis Enterprise Software 时,升级过程会将第一个升级节点上的证书复制到集群中的所有节点。

注意:
不要手动覆盖位于/etc/opt/redislabs.相反,请将新证书上传到其中一个集群节点上的临时位置,例如/tmp目录。

使用集群管理器 UI

要使用 Cluster Manager UI 替换代理或 syncer 证书:

  1. 转到 Cluster > Security > Certificates

  2. 展开要更新的证书的部分:

    • 对于代理证书,展开 Server authentication(服务器身份验证)。
    • 对于同步器证书,展开 Replica Of (副本) 和 Active-Active authentication(主动-主动身份验证)。
    用于服务器身份验证的扩展代理证书。

  3. 单击 Replace Certificate 以打开对话框。

    “替换代理证书”对话框。

  4. 上传密钥文件。

  5. 上传新证书。

  6. 单击 Save (保存)。

使用 CLI

要将证书替换为rladminCLI 中,运行cluster certificate set命令:

 rladmin cluster certificate set <cert-name> certificate_file <cert-file-name>.pem key_file <key-file-name>.pem

Replace the following variables with your own values:

  • <cert-name> - The name of the certificate you want to replace. See the certificates table for the list of valid certificate names.
  • <cert-file-name> - The name of your certificate file
  • <key-file-name> - The name of your key file

For example, to replace the Cluster Manager UI (cm) certificate with the private key key.pem and the certificate file cluster.pem:

rladmin cluster certificate set cm certificate_file cluster.pem key_file key.pem

Use the REST API

To replace a certificate using the REST API, use PUT /v1/cluster/update_cert:

PUT https://[host][:port]/v1/cluster/update_cert
    '{ "name": "<cert_name>", "key": "<key>", "certificate": "<cert>" }'

Replace the following variables with your own values:

  • <cert_name> - The name of the certificate to replace. See the certificates table for the list of valid certificate names.

  • <key> - The contents of the *_key.pem file

    Tip:
    The key file contains \n end of line characters (EOL) that you cannot paste into the API call. You can use sed -z 's/\n/\\\n/g' to escape the EOL characters.

  • <cert> - The contents of the *_cert.pem file

Replica Of database certificates

This section describes how to update certificates for Replica Of databases.

Update proxy certificates

To update the proxy certificate on clusters running Replica Of databases:

  1. Use the Cluster Manager UI, rladmin, or the REST API to update the proxy certificate on the source database cluster.

  2. From the Cluster Manager UI, update the destination database (replica) configuration with the new certificate.

Note:
  • Perform step 2 as quickly as possible after performing step 1. Connections using the previous certificate are rejected after applying the new certificate. Until both steps are performed, recovery of the database sync cannot be established.

Active-Active database certificates

Update proxy certificates

To update proxy certificate on clusters running Active-Active databases:

  1. Use the Cluster Manager UI, rladmin, or the REST API to update proxy certificates on a single cluster, multiple clusters, or all participating clusters.

  2. Use the crdb-cli utility to update Active-Active database configuration from the command line. Run the following command once for each Active-Active database residing on the modified clusters:

    crdb-cli crdb update --crdb-guid <CRDB-GUID> --force
Note:
  • Perform step 2 as quickly as possible after performing step 1. Connections using the previous certificate are rejected after applying the new certificate. Until both steps are performed, recovery of the database sync cannot be established.
  • Do not run any other crdb-cli crdb update operations between the two steps.

Update syncer certificates

To update your syncer certificate on clusters running Active-Active databases, follow these steps:

  1. Update your syncer certificate on one or more of the participating clusters using the Cluster Manager UI, rladmin, or the REST API. You can update a single cluster, multiple clusters, or all participating clusters.

  2. Update the Active-Active database configuration from the command line with the crdb-cli utility. Run this command once for each Active-Active database that resides on the modified clusters:

    crdb-cli crdb update --crdb-guid <CRDB-GUID> --force
Note:
  • Run step 2 as quickly as possible after step 1. Between the two steps, new syncer connections that use the ‘old’ certificate will get rejected by the cluster that has been updated with the new certificate (in step 1).
  • Do not run any other crdb-cli crdb update operations between the two steps.
  • Known limitation: Updating syncer certificate on versions prior to 6.0.20-81 will restart the proxy and syncer connections. In these cases, we recommend scheduling certificate replacement carefully to minimize customer impact.
RATE THIS PAGE
Back to top ↑