Changed the storage location of the self-signed CA certificate and the certificate reissue mechanism.
The certificate is stored in the database. The previous method of reissuing internal certificates by deleting certificates from the Core file system and restarting the Core is no longer allowed. This method will cause the Core to fail to start. Until the certificate reissuing process is completed, new services may not be connected to the Core.
After reissuing the internal CA certificates in the Settings → Other → Reissue internal CA certificates section of the KUMA web interface, you must stop the services, delete the old certificates from service directories, and manually restart all services. Only users with the General Administrator role can reissue internal CA certificates.
The Reissue internal CA certificates option is available only to a user with the General Administrator role.
The process of reissuing certificates for an individual service remains the same: in the KUMA web interface, in the Active services section, select the service, in the context menu, select Reset certificate, and delete the old certificate in the service installation directory. KUMA automatically generates a new certificate. You do not need to restart running services, the new certificate is applied automatically. A stopped service must be restarted to have the certificate applied.
To reissue internal CA certificates:
As a result, the CA certificates for KUMA services and the CA certificate for ClickHouse are reissued. Next, you must stop the services, delete old certificates from the service installation directories, restart the Core, and restart the stopped services to apply the reissued certificates.
sudo systemctl stop kuma-<collector/correlator/eventRouter>-<
service ID
>.service
service type
>/<service ID
>/certificates" directories with the following command:sudo rm -f /opt/kaspersky/kuma/<
service type
>/<
service ID
>/certificates/internal.cert
sudo rm -f /opt/kaspersky/kuma/<
service type
>/<
service ID
>/certificates/internal.key
sudo systemctl stop kuma-<storage>-<
service ID
>.service
ID service
>/certificates" directories. sudo rm -f /opt/kaspersky/kuma/storage/<
service ID
>/certificates/internal.cert
sudo rm -f /opt/kaspersky/kuma/storage/<
service ID
>/certificates/internal.key
sudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.cert
sudo rm -f /opt/kaspersky/kuma/clickhouse/certificates/internal.key
sudo systemctl restart kuma-core-00000000-0000-0000-0000-000000000000.service
sudo k0s kubectl rollout restart deployment/core-deployment -n kuma
You do not need to restart victoria-metrics.
The Core must be restarted using the command because restarting the Core in the KUMA interface affects only the Core container and not the entire pod.
sudo systemctl start kuma-<collector/correlator/eventRouter/storage>-<
service ID
>.service
sudo systemctl start kuma-victoria-metrics.service
Internal CA certificates are reissued and applied.
Page top