Update TLS certificate for Exasol Admin
This article explains how to update the TLS certificate for Exasol Admin.
To update the TLS certificate for Exasol Admin you must upload the new certificate and key to each node and then restart the host. This must currently be done from a Linux terminal, it cannot be done from the Exasol Admin UI.
The procedure is slightly different depending on whether you installed Exasol to run as root (rootful) or with a non-root user (rootless). Both use cases are described in the examples in this article.
The certificate and key must be uploaded to each node in the cluster.
Prerequisites
-
A self-signed or CA-signed server certificate using either RSA or ECC encryption
-
A private key file for the server certificate
The private key for the server certificate must not be encrypted.
Upload certificate and key files
-
Upload the certificate file and the certificate key as
server.crtandserver.keyto each host in the cluster. Upload the files to the directory/var/lib/ccc/etcif Exasol is running as root, and to~/.ccc/ccc/etcif Exasol is running with a non-root user (rootless).Example:
Copy# if Exasol is installed to run as root (rootful):
cat mycert.pem | c4 connect -i $PLAY_ID -s host -n $node -- 'tee /var/lib/ccc/etc/server.crt'
cat mykey.pem | c4 connect -i $PLAY_ID -s host -n $node -- 'tee /var/lib/ccc/etc/server.key'
# if Exasol is installed with a non-root user (rootless):
cat mycert.pem | c4 connect -i $PLAY_ID -s host -n $node -- 'tee ~/.ccc/ccc/etc/server.crt'
cat mykey.pem | c4 connect -i $PLAY_ID -s host -n $node -- 'tee ~/.ccc/ccc/etc/server.key'To get the play ID and node IDs, you can use
c4 ps. For more information, see How to use c4. -
Restart the
exasol-admin-uisystemd service on the host:Copy# if Exasol is installed to run as root (rootful):
sudo systemctl restart exasol-admin-ui
# if Exasol is installed with a non-root user (rootless):
systemctl --user restart exasol-admin-ui -
Repeat this procedure on all nodes.
