Skip to content

Certificate expiration

Every time a new DBOD instance is deployed or removed from a host, its DNS alias is added or removed from the host certificate so, in general, in the DBOD service a host certificate is updated several times per year.

When an instance starts, it reads and loads into memory the current version of the certificate. When the expiration of the certificate in use by the instance is close to expire, we notify the owner and its administrative e-group about it. This happens in particular, 30 days before, 7 days before, the day before, and the day of its expiration: you will receive an email with subject starting with 'The TLS certificate of instance xxx is expiring...'

You can read here below how to check the validity of the current certificate used by your instance and compare the dates before and after taking action to reload it.

MySQL

Check validity dates

You can execute this command to check the validity of the instance certificate:

echo | openssl s_client -connect dbod-<instance_name>.cern.ch:<instance_port_number> -starttls mysql 2>/dev/null | openssl x509 -noout -dates

How to renew the certificate

To renew the certificate, you have 2 options:

  • You can run the following command as admin in your instance:

    ALTER INSTANCE RELOAD TLS;
    This option is preferred as it doesn't impact your instance.

  • Another possibility is to restart the instance at any time from the DBOD web interface: https://dbod.web.cern.ch/pages/instance/<instance_name>

PostgreSQL

Check validity dates

You can execute this command to check the validity of the instance certificate:

echo | openssl s_client -connect dbod-<instance_name>.cern.ch:<instance_port_number> -starttls postgres 2>/dev/null | openssl x509 -noout -dates

How to renew the certificate

To renew the certificate, you can reload the config file of your instance (or restart the instance) at any time from the DBOD web interface: https://dbod.web.cern.ch/pages/instance/<instance_name>

InfluxDB

Check validity dates

You can execute this command to check the validity of the instance certificate:

echo | openssl s_client -servername dbod-<instance_name>.cern.ch -connect dbod-<instance_name>.cern.ch:<instance_port_number> 2>/dev/null | openssl x509 -noout -dates

How to renew the certificate

To renew the certificate, you can (restart) your instance at any time from the DBOD web interface: https://dbod.web.cern.ch/pages/instance/<instance_name>