Cloudera Docs

Renew host certificates on Data Lake and Data Hub clusters

Host certificates are valid for one year; to keep the Data Lake and Data Hub clusters running, you must renew the certificates before they expire.

During cluster provisioning, Cloudera Manager creates an intermediate certificate (CMCA) signed by FreeIPA CA. The CMCA is used to create certificates for every host with Auto-TLS. Host certificates have a default expiration date of one year. After the certificates expire, the cluster is not functional, so you must renew them before expiration.

During periodic cluster state synchronization, CDP uses the Cloudera Manager API to check that the HOST_AGENT_CERTIFICATE_EXPIRY apiHealthCheck alert is in a GOOD state. If the apiHealthCheck is not in a GOOD state, CDP displays a warning in the UI.

These UI warnings will display on the associated Environments, Data Lakes, or Data Hubs list and details pages. For example:

You must have Full Administration user role.
  1. On the Environments, Data Lakes, or Data Hubs list pages, click the three vertical dots next to the expiration message.
  2. Click Renew Host Certificates or Renew Data Lake Host Certificates.
  3. Click Yes when you are asked if you want to renew the certificates.
    Alternatively, from the "Details" page of a particular environment or the "Details" page for a Data Hub cluster, you can click the Renew Data Lake Host Certificates or Renew buttons in the warning message that appears at the top of the page.

    If you prefer to renew the certificates using the CLI, use the following commands:

    Data Lake certificate renewal:

    cdp datalake rotate-auto-tls-certificates --datalake-name <Data Lake name>

    Data Hub certificate renewal:

    cdp datahub rotate-auto-tls-certificates --datahub-name <Data Hub name>
  4. Restart the CM server: systemctl restart cloudera-scm-server.
  5. Restart services via the CM UI:
    1. From the Environments > [Select a cluster] > Data Lake > Services, follow the link to the CM-UI.
      The Cloudera Manager UI opens.
    2. From the Status tab, click the drop-down menu and select Restart.
    3. From Clusters > Cloudera Management Service, open the Actions menu and select Restart.