Sign inTry Free

Reloading SSL Certificates Without Restarting the Node

When the SSL certificate on a node is about to expire it must be replaced with a newer one. This can be done by using the SSL_RELOAD SQL command which enables replacing the SSL certificate without restarting the node. This allows the cluster to run uninterrupted during SSL certificate reloading.

SSL_RELOAD

This SQL command performs the action on the node where it is executed. It should be executed via SQL client on all the aggregators when SSL is configured for Secure Client connections and on all the cluster nodes when SSL is configured for intra-cluster communication.

It reads the values of ssl_key, ssl_cert, ssl_ca and ssl_capath from the config file and tries to initialize new SSL contexts. If successful, new contexts are used, else the existing SSL contexts remain as-is. This command requires the SUPER privilege and is node local.

When updating the key and certificate, SingleStore recommends giving files new names different from existing rather than overwriting existing key and/or certificate files.

Existing connections are not affected by the reload.

If all SUPER users require SSL to connect and the server certificate expires, the only way to update the key and/or certificate is to restart the node as SSL_RELOAD requires the client to connect. If a connection exists that was created when the certificate was valid, it will continue to function.

Scenarios that require node restart:

  • ssl_key and ssl_cert were not specified before reload and are specified on reload.

  • ssl_key and ssl_cert were specified before reload and are not specified on reload.

  • ssl_ca and ssl_capath were not specified before reload and are specified on reload.

  • ssl_ca and/or ssl_capath were specified before reload and none are specified on reload.

For information about reloads refer the variables: ssl_last_reload_attempt_time and ssl_last_successful_reload_time

Last modified: July 22, 2024

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK