Renewing PostgreSQL cluster certificates¶

Preparations¶

Certificate renewal¶

Before performing any actions on the PostgreSQL cluster nodes, please prepare new certificates for each of the cluster nodes. As a reminder, certificates must comply with several constraints specified in the PostgreSQL cluster prerequisites.

If you want to make the change on the fly without impacting production, you must meet the following conditions:

The certification authority has not been renewed since the last generation of PostgreSQL node certificates
The certification authority will not expire during the validity period of the new certificates
You can still generate and sign certificates with the same certification authority that was used when the previous PostgreSQL node certificates were generated
The PostgreSQL node certificates have not yet expired

If these conditions are met, then you can consider renewing the certificates on the fly without interrupting production.

To regenerate certificates using the openssl PKI indicated, optionally, in the PostgreSQL cluster installation documentation, you must reuse the certification authority key and then replay the certificate generation commands.

If it is not possible to renew the certificates on the fly and you are using a PKI via openssl, we recommend that you create a new one.

Preparing the certificates¶

You will need to send in /tmp/ the root certification authority certificate with a .crt extension to each of the PostgreSQL nodes.

You will also need to send in /tmp/ the certificate and its associated private key to each of the PostgreSQL nodes. If you only have one .p12 file available, please run the following commands to extract the certificate (psql.crt) and private key (psql.key):

openssl pkcs12 -clcerts -nokeys -out psql.crt -in P12_CERT
openssl pkcs12 -nocerts -out psql.key -in P12_CERT

Please replace in the previous P12_CERT commands with the name of your .p12 certificate file.

Certificate renewal¶

Warning!

If you can and wish to perform a live update of the certificates without interrupting production, you will need to:

Renew certificates sequentially on each node
Renew certificates on a REPLICA node only (see how to retrieve information from the LEADER node)
Always have at least two PostgreSQL nodes operational and work on the third
To work on the LEADER node, switch the LEADER to another node

To simplify the following actions, please customize the variables in the commands below with your values (modify the customization for each PostgreSQL node):

Value	Variable	Definition
	`PSQL_CERT`	New PostgreSQL node certificate.
	`PSQL_KEY`	Key associated with the new PostgreSQL node certificate.
	`PSQL_CA`	Certificate from the root certification authority that was used to generate the PostgreSQL node certificate.

Connect via SSH as root to the PostgreSQL node whose certificates you want to update and run the following commands to replace the certificates:

cp /tmp/PSQL_CERT /etc/etcd/peer.crt
cp /tmp/PSQL_CERT /etc/etcd/client.crt
cp /tmp/PSQL_CERT /etc/patroni/client.crt
cp /tmp/PSQL_KEY /etc/etcd/peer.key
cp /tmp/PSQL_KEY /etc/etcd/client.key
cp /tmp/PSQL_KEY /etc/patroni/client.key
cp /tmp/PSQL_CA /etc/etcd/ca.crt
cp /tmp/PSQL_CA /etc/patroni/ca.crt
cp /tmp/PSQL_CA /usr/local/share/ca-certificates/PSQL-CA-`date +%G-%m-%d`.crt
update-ca-certificates

To finalize the certificate changes, you must restart the PostgreSQL node:

reboot