RavenDB 4.0 replacing main server certificate

[Sander Rijken]

Is there a guide / documentation / step by step explaining how to replace the main server certificate? It's about the expire, so needs to be replaced.

Does this affect the client certs?

Thanks,

Sander

[Oren Eini (Ayende Rahien)]

Client certs aren't impacted by this. We explicitly honor them past the due date of the generating cert.

How was your certificate generated? 

The short time frame indicates a Let's Encrypt, and that should automatically update.

This isn't exposed in the UI yet, but POST  /admin/certificates/replace-cluster-cert will update the certificate on the server, distribute it across the cluster, and update it across all nodes in tandem.

You need to post a CertificateDefinition there: https://github.com/ravendb/ravendb/blob/v4.0/src/Raven.Client/ServerWide/Operations/Certificates/CertificateDefinition.cs

Hibernating Rhinos Ltd  

Oren Eini l CEO l Mobile: + 972-52-548-6969

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

 

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sander Rijken]

Does this CLI command do the same thing?

https://ravendb.net/docs/article-page/4.0/csharp/server/administration/cli#replaceclustercert

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

[Oren Eini (Ayende Rahien)]

Yeah, totally forgot that it was there :-)

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Judah Gabriel Himango]

I just got an email from Let's Encrypt saying my server cert is going to expire in 20 days. Should I be concerned that Raven isn't updating the cert? See below for the message I received from Let's Encrypt

Hello,

Your certificate (or certificates) for the names listed below will expire in
20 days (on 09 May 18 21:02 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

a.bitshuvadb.ravendb.community

For any questions or support, please visit https://community.letsencrypt.org/.
Unfortunately, we can't provide support by email.

[Oren Eini (Ayende Rahien)]

Hi,

When you go into your studio, do you see any warnings about the certificate renewal failing?

Most importantly, did you setup LE on _this_ server? We had a recent case where a customer setup using LE on one server, then brought just the cert to another, which obviously wouldn't work

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Judah Gabriel Himango]

In the Studio, I don't see any warnings about certificate renewal failing, no.

Let's Encrypt: The only thing I've done is with LE is, I went through the Raven setup process and told it to use LE. I did that on this server, yes.

This is a Windows Server virtual machine in Azure, if it matters. (You helped me set up this server with Raven+LE during the Raven workshop in San Francisco.)

-Judah

[Oren Eini (Ayende Rahien)]

What is the exact build here?

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Judah Gabriel Himango]

4.0.3-patch-40031

FYI, I can give you (or anyone on the team) remote access to the virtual machine to poke around if need be.

--
You received this message because you are subscribed to a topic in the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ravendb/e2rfzzT1qis/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ravendb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

-Judah Gabriel Himango 

[Oren Eini (Ayende Rahien)]

Send it to support, Iftah can look at this tomorrow.