Redis certificate renewal procedure.
Generating a private key and certificate signing request (CSR):
These steps are only required to be performed on one HAA node. Once the new certificate is installed, it will be propagated to all other HAA nodes.
- Log into your primary HAA server via SSH
- Navigate to a temporary working directory of your choice (e.g. /home//temp)
- Using any text editor such as nano, create an OpenSSL configuration file called haa1.cnf with the following contents, then:
- Update the locality parameters as required e.g. countryName, localityName…
- Under commonName and DNS.1 replace haa1.uipath.local with the FQDN of your primary HAA node
- Under DNS.2 and DNS.3 replace haa2.uipath.local and haa3.uipath.local with the FQDNs of your secondary and tertiary HAA nodes
- Whilst still in your working folder, run the following command to generate a private key and CSR. openssl req -out haa1.csr -newkey rsa:2048 -nodes -keyout haa1.key -config haa1.cnf
- The 3 files that will be present in the current folder
- haa1.csr
- haa1.key
- haa1.cnf
- Retype the parameters when requested for it to work. Below, type “GB” when presented with GB
Submitting the CSR to your certificate authority (CA)
- Submit the haa1.csr to your CA. The CA will return to you a signed certificate. The process for doing this can vary between organizations, ask IT for the procedure or if they can do it on your behalf
- Verify that the certificate is in Base64 format by opening it in notepad. If it in Base64 format it will look similar to the below:
- If it does not look similar to the above the certificate will require conversion to Base64
- For Windows users, if a Windows-based CA returns a p7b file, double-click it and export the certificate directly to Base64 PEM. You may disregard the root certificate, only the host certificate is required.
- For other formats, convert the certificate returned into a Base64 format with the PEM extension. A useful link for handling certificate conversions is here. Disregard the root certificate, only the host certificate is required.
- In your working directory back on the HAA server, create a new file named haa1.pem in the folder and copy-paste the contents of the new certificate into it
- There will be 4 files present in the folder:
- haa1.csr
- haa1.key
- haa1.cnf
- haa1.pem
Installing the certificate returned by the CA into Redis
- Switch to a user with root permissions.
- Navigate to /opt/redislabs/bin
- Run ./rladmin
- Run cluster certificate set cm certificate_file key_file For example: cluster certificate set cm certificate_file /home/darren/haa1.pem key_file /home/darren/haa1.key
- Rerun the command an additional 4 times, but each time replacing cm with the flag for other components of the HAA:
- cluster certificate set api certificate_file key_file
- cluster certificate set proxy certificate_file key_file
- cluster certificate set syncer certificate_file key_file
- cluster certificate set metrics_exporter certificate_file key_file
- Exit rladmin with the exit command.
- Reboot the HAA server using shutdown -r now
- The next time when navigated to http://haa1.uipath.local:8443, the site will be trusted. Other nodes will also be automatically updated to use the new certificate.