Product: Couchbase Server Component: ns-server Issue Link: MB-62219 Affects Versions: 7.1.x, 7.2.x, 7.6.x Fix Versions: 7.2.6, 7.6.4, 8.0.0
Summary
- After uploading a new root CA certificate to the cluster, it becomes impossible to remove an existing old root CA certificate if it was created with the same private key as the new one. This issue is documented in https://jira.issues.couchbase.com/browse/MB-62219.
Symptoms
- When attempting to remove the old certificate after deploying a new root CA certificate generated with the same private key, the operation fails. An attempt to remove the old certificate with UI or REST API results in the following error message:
The CA certificate is in use by the following nodes: <list of nodes>
Triggers
- This issue occurs in the affected versions of Couchbase Server due to the order in which root CA certificates are searched and attached. Couchbase Server always attaches the oldest root CA certificate to a node certificate when it is added. Consequently, it is impossible to update a root CA certificate if the private key used to create the new root CA certificate remains unchanged.
Verification
- After uploading a new root CA certificate, attempts to remove the old certificate will fail. The following error message will be received:
The CA certificate is in use by the following nodes: <list of nodes>
Workarounds
- Once the old root CA certificate has expired, reload node certificates using the same node certificate by sending a POST request to the /reloadCertificate REST API endpoint. Since the old root CA certificate will no longer be valid, the node certificate will then be associated with the new root CA certificate. This allows the removal of the old root CA certificate.
Comments
0 comments
Article is closed for comments.