How to rotate pxc_server_ca and mysql_server_certificate certs used by App Metrics Tile 1.6.x
search cancel

How to rotate pxc_server_ca and mysql_server_certificate certs used by App Metrics Tile 1.6.x

book

Article ID: 293386

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

Operations Manager (Ops Manager) generates a warning that the below certificates mysql_server_certificate and pxc_server_ca are due to expire. 

{
"certificates": [
{
"is_ca": false,
"property_reference": null,
"property_type": null,
"product_guid": "apmPostgres-5df8a42789b48ca6d993",
"configurable": true,
"issuer": null,
"valid_from": null,
"valid_until": "2019-10-25T12:35:39Z",
"location": "credhub",
"variable_path": "/p-bosh-bf9961400faad5c91fb9/apmPostgres-5df8a42789b48ca6d993/mysql_server_certificate"
},
{
"is_ca": true,
"property_reference": null,
"property_type": null,
"product_guid": "apmPostgres-5df8a42789b48ca6d993",
"configurable": true,
"issuer": null,
"valid_from": null,
"valid_until": "2019-10-25T12:35:38Z",
"location": "credhub",
"variable_path": "/p-bosh-bf9961400faad5c91fb9/apmPostgres-5df8a42789b48ca6d993/pxc_server_ca"
}
]
}


Resolution

The mysql_server_certificate and pxc_server_ca certificates were once required by App Metrics but are no longer needed. App Metrics 1.6.x uses the MySQL BOSH release which requires these certs. However, App Metrics does not use them when communicating with the data store.

During the upgrade/install process to App Metrics 2.0, you will be uninstalling App Metrics 1.6.x and the unused certs will be removed from CredHub at that stage.  

If you want to stop Ops Manager from generating a warning relating to these two certificates then you can use the following procedure to rotate them:

1. Log in to CredHub using this piece of documentation: https://docs.pivotal.io/platform/2-7/security/pcf-infrastructure/manual-credhub-certificate.html

2. Identify which certificates exactly are in CredHub:

credhub curl -p "/api/v1/certificates" -X GET | jq


3. Run the following command to delete certificates from CredHub:

ubuntu@opsmgr-37-haas-59-pez-pivotal-io:~$ credhub delete --name /p-bosh/apmPostgres-f97cf43c96a32160fa67/mysql_server_certificate

Credential successfully deleted

ubuntu@opsmgr-37-haas-59-pez-pivotal-io:~$ credhub delete --name /p-bosh/apmPostgres-f97cf43c96a32160fa67/pxc_server_ca

Credential successfully deleted


4. Run selective Apply Changes against the Ops Manager and the Metrics tile. 

5. Log in to CredHub to verify that the certs have been rotated with this command:

credhub curl -p "/api/v1/certificates" -X GET | jq


OR


Use this URL in your browser:

https://OPS-MAN-FQDN/api/v0/deployed/certificates


Powered by Wolken Software