Various services on the node require certificate authentication. As part of that process, we use the ip address of the server in the certificate -- this must match the ip that the server will be connecting from. When changing that IP, you must generate new certificates.

In this example, we will use the following:

SECTIONS

<aside> 🚨 In most configurations, consul is bound to the public ip. Your configuration may be different, so please double check the current configuration to find the correct IP before proceeding.

</aside>

Process Overview

The steps we will take to update the node IP Address will involve the following:

  1. Generating new certificates using vault
  2. Updating configuration files on the node for all related services
  3. Updating iptable rules on all servers in your environment
  4. Updating the configuration in ComputeStacks
  5. Testing configuration.

Prior to proceeding with this, first make sure that connectivity works between all servers that will be required to communicate with each other, and that relevant SSH keys exist (this should have already been taken care of by our installer).

Generate New Certificates

Unseal Vault

Before continuing, navigate back to your ansible project that you used to create your cluster, and run the following command to unseal vault on the controller.

	make vault-unseal

<aside> 💡 If you have multiple availability zones, and therefore multiple inventory files, just pick any of them. Vault runs on the controller, so therefore all inventory files will work.

</aside>

Consul

# Generate Consul Certificates
docker exec -it vault-bootstrap vault write pki/consul/issue/server \\
                                            common_name=node101 \\
                                            alt_names=localhost \\
                                            ip_sans="127.0.0.1,8.8.8.8,10.0.0.2" \\
                                            ttl=43800h