Skip to main content

How to Regenerate YBA TLS Certificates to Add Additional Subject Alternative Names (SANs)

Pedro Vidigal
Updated

Environment

  • Yugabyte Anywhere: All versions (YBA Installer)

Issue

When configuring YugabyteDB Anywhere (YBA) in a High Availability (HA) setup, communication between the YBA instances may fail if the TLS certificates do not include the required Subject Alternative Names (SANs). This typically occurs when a load balancer is used to expose the YBA instances, and the load balancer's IP address or hostname is not included in the certificate of the other YBA instance. The error message in the YBA logs will be similar to java.net.ConnectException: No subject alternative names matching IP address <IP> found.

Resolution

Overview

The root cause of this issue is that the YBA-generated TLS certificate for each instance does not automatically include the IP addresses or hostnames of other YBA instances or load balancers in the HA setup. To resolve this, you need to manually regenerate the server certificate on each YBA instance to include the necessary SANs. This article provides a step-by-step guide on how to regenerate the YBA TLS certificates to add additional SANs.

Steps

1. Create a file named server-cert.cnf in the YBA certificate directory. By default, this is:

/opt/yugabyte/data/yba-installer/certs/

Note: The actual directory may vary depending on your YBA installation path. Adjust the commands below below on your YBA installation directory

sudo vi /opt/yugabyte/data/yba-installer/certs/server-cert.cnf

Add the following content to the file, replacing the placeholder IP addresses with the actual IP addresses or hostnames of all YBA instances and load balancers in the HA setup. Add one entry for each IP address or hostname.

[req]
req_extensions = v3_req

[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = critical, @alt_names

[alt_names]
IP.1 = <IP_ADDRESS_1>
IP.2 = <IP_ADDRESS_2>
DNS.1 = <HOSTNAME_1>

2. Create a new Certificate Signing Request (CSR).

Create a new CSR from the existing server certificate and key.

sudo openssl x509 -x509toreq -in /opt/yugabyte/data/yba-installer/certs/server-cert.pem -signkey /opt/yugabyte/data/yba-installer/certs/server-key.pem -out /opt/yugabyte/data/yba-installer/certs/server-cert.csr

3. Back up the existing server certificate.

Create a backup of the current server certificate.

sudo cp -p /opt/yugabyte/data/yba-installer/certs/server-cert.pem /opt/yugabyte/data/yba-installer/certs/server-cert.pem.bak

4. Sign the new certificate.

Sign the new certificate using the CA certificate and key.

sudo openssl x509 -req -in /opt/yugabyte/data/yba-installer/certs/server-cert.csr -CA /opt/yugabyte/data/yba-installer/certs/ca_cert.pem -CAkey /opt/yugabyte/data/yba-installer/certs/ca_key.pem -set_serial $(date "+%s%3N") -out /opt/yugabyte/data/yba-installer/certs/new-server-cert.pem -days 1460 -sha256 -extensions v3_req -extfile /opt/yugabyte/data/yba-installer/certs/server-cert.cnf

5. Verify the new certificate.

Verify that the new certificate contains the correct SANs.

sudo openssl x509 -in /opt/yugabyte/data/yba-installer/certs/new-server-cert.pem -text -noout

Compare the output with the old certificate to ensure that the only changes are the Serial Number, Validity, Subject Alternative Names, and Signature.

sudo openssl x509 -in /opt/yugabyte/data/yba-installer/certs/server-cert.pem -text -noout

Note: Once the new certificate content has been verified, ensure that the ownership and permissions of the new certificate files match those of the old files. This may vary depending on which user account YBA runs under.

6. Update the server certificate.

Replace the old server certificate with the new one.

sudo cp /opt/yugabyte/data/yba-installer/certs/new-server-cert.pem /opt/yugabyte/data/yba-installer/certs/server-cert.pem

7. Rebuild the server PEM file.

Concatenate the server key and the new server certificate to create the server.pem file that YBA uses.

sudo bash -c 'cat /opt/yugabyte/data/yba-installer/certs/server-key.pem /opt/yugabyte/data/yba-installer/certs/server-cert.pem > /opt/yugabyte/data/yba-installer/certs/server.pem'

8. Restart YBA.

Restart the YBA service to apply the changes.

sudo yba-ctl restart

9. Repeat on all YBA instances.

Repeat these steps on all YBA instances in the HA setup, ensuring that the server-cert.cnf file on each instance contains the SANs for all other instances and load balancers.

 

Related to

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk