Lifecycle of embedded database certificates
The certificates for embedded databases are valid for two years. These certificates are auto-generated when a Cloudera Data Hub cluster is created. Currently, there is no option for auto-renewal and there are no alerts shown in Cloudera Data Hub when the certificates are close to expiration.
In case a certificate expires, Cloudera Manager becomes unreachable and the state of the Cloudera Data Hub cluster becomes unhealthy. When the cluster becomes unhealthy due to the expired SSL certificate, the secret rotation described in Rotating Cloudera Data Hub secrets fails.
How to check the expiration date for the certificates:
In order to avoid the expiration of certificates for embedded databases, you can use the
following command to review the date of expiry for the SSL
certificates:
echo | openssl s_client -starttls postgres -showcerts -connect "$(hostname -f)":5432 | openssl x509 -noout -dates