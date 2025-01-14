Database Cert Authority Rotation
Teleport connects to self-hosted databases using mutual TLS, or mTLS for short. To enable mTLS connections to your self-hosted database via Teleport, you have to configure your database and Teleport so that they can complete an mTLS handshake: essentially, they need to trust each other. To that end, your Teleport cluster manages its own internal database certificate authorities. This guide will explain how to rotate your Teleport cluster's database CAs.
Prerequisites
-
A running Teleport cluster version 15.4.30 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctladmin tool and
tshclient tool.
On Teleport Enterprise, you must use the Enterprise version of
tctl, which you can download from your Teleport account workspace. Otherwise, visit Installation for instructions on downloading
tctland
tshfor Teleport Community Edition.
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 15.4.30
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
Database CA rotation
Teleport uses two certificate authorities for self-hosted database access:
- The
dbcertificate authority is used to issue server certificates to self-hosted databases.
- The
db_clientcertificate authority is used to issue an ephemeral client certificate to the Teleport Database Service when it connects to a self-hosted database.
Certificate authority rotation consists of several rotation phases. The rotation phases have different effects depending on which CA is rotated. This section will explain the differences and show you how to rotate your database CAs.
db CA Rotation phases
standby: All operations have completed or haven't started yet.
init: All Teleport cluster services are notified of the rotation. A new
dbcertificate authority is created in your cluster. Remote trusted clusters must fetch the new CA.
tctl auth signwill issue database server certs with the new CA.
update_clients: Ephemeral client certificates issued to the Teleport Proxy Service will be issued by the new CA.
update_servers: No effect during
dbCA rotation.
rollback: The rotation was aborted and is rolling back to the old certificate authority.
db_client CA Rotation phases
standby: All operations have completed or haven't started yet.
init: All Teleport cluster services are notified of the rotation. A new
db_clientcertificate authority is created in your cluster.
tctl auth signwill output both the old and new certificate authorities in its trusted CA output.
update_clients: Ephemeral client certificates issued to the Teleport Database Service will be issued by the new CA.
update_servers: No effect during
db_clientCA rotation.
rollback: The rotation was aborted and is rolling back to the old certificate authority.
Rotation types
There are two types of certificate authority rotation processes:
- Manual: it is the cluster administrator's responsibility to transition
between each phase of the rotation while monitoring database connectivity.
Manual rotations are performed by providing the
--manualflag and the desired phase using the
--phaseflag to the
tctl auth rotatecommand.
- Semi-automatic: Teleport automatically transitions between phases of the rotation after some amount of time (known as a grace period) elapses.
For both types of rotation, the cluster goes through the phases in the following order:
standby->
init->
update_clients->
update_servers->
standby
It does not make sense to use semi-automatic rotation when rotating the
db
or
db_client CA, because self-hosted databases are not automatically
reconfigured by the semi-automatic process.
Therefore this guide will only explain manual rotation.
In manual mode we transition between phases while monitoring database connectivity, and reconfigure databases with new CA certificates as needed.
You will need to reconfigure any given self-hosted database only once during the
rotation: it does not need to be done at each step.
You can reconfigure your databases during any phase, although it's best to do
so during the
init phase to avoid losing database access later in the rotation.
If you lose connectivity to your databases during any phase prior to
standby, you can roll back to the old certificate authority to
restore connectivity.
Step 1/4. Start the rotation
Initiate manual rotation of the
db or
db_client certificate authority:
Want to rotate both CAs?
You should not rotate the
db or
db_client CA in parallel with other CA
rotations.
Rotating in parallel with other CA types, especially the
host CA, is more
complicated, more likely to cause problems, and does not save you any effort.
However, if you want to rotate both the
db and
db_client CA, then you can
(and should) save yourself some effort by rotating both of them at the same
time.
You can rotate both
db and
db_client certificate authorities in parallel
by transitioning both CAs through each phase step.
Just use the
tctl auth rotate command for each step with
--type=db and
then
--type=db-client.
tctl auth rotate --manual --type=type --phase=initUpdated rotation phase to "init". To check status use 'tctl status'
Use
tctl to confirm that there is an active rotation in progress:
tctl status
If you are rotating the
db_client CA and you do not want to lose access to
your self-hosted databases in the next phase, you should reconfigure your
databases now.
You do not need to reconfigure databases at this point if you are rotating only
the
db CA, although there is no harm in doing so.
Consult the appropriate
Teleport Database Access Guide for your
databases before proceeding to the
update_clients rotation phase.
Step 2/4. Update clients
Execute the transition from
init to
update_clients:
tctl auth rotate --manual --type=type --phase=update_clients
Updated rotation phase to "update_clients". To check status use 'tctl status'
If you are rotating the
db_client CA, this is the phase where the Teleport
Database Service will start using client certificates issued by the new CA to
connect to databases.
You should verify that you can still access your databases after transitioning
to this phase.
If you lose connectivity to your databases, you can reconfigure your databases to restore access. If that does not restore access or you are unable to reconfigure a database, then roll back to the old certificate authority.
Step 3/4. Update servers
Execute the transition from
update_clients to
update_servers:
tctl auth rotate --manual --type=type --phase=update_servers
Updated rotation phase to "update_servers". To check status use 'tctl status'
This phase does not actually do anything for
db or
db_client CA rotation,
but it's required as part of the generalized Teleport CA rotation process before
we can finish the rotation.
Step 4/4. Finish the rotation
If any of your self-hosted databases have not yet been reconfigured, you will
lose access to those databases after transitioning to the
standby phase in
this final step.
To avoid down time, consult the appropriate Teleport Database Access Guide and reconfigure your databases before proceeding. Otherwise, access may still be restored by reconfiguring your self-hosted databases after this step.
Execute the transition from
update_servers to
standby:
tctl auth rotate --manual --type=type --phase=standby
Updated rotation phase to "standby". To check status use 'tctl status'
Rollback
Rollback can only be performed before the rotation is completed, meaning before
the rotation transitions to
standby from
update_servers.
The most common reason you would want to rollback if is if you cannot reconfigure your databases. If you have connectivity issues after reconfiguring a database, it's likely that you simply misconfigured the database. If you roll back the rotation, then you will have to manually revert any database reconfigurations and start from step 1 to reattempt rotating your certificate authorities, so consider this a method of last resort.
First, enter the rollback phase with a manual phase transition:
tctl auth rotate --manual --type=type --phase=rollback
Updated rotation phase to "rollback". To check status use 'tctl status'
If you reconfigured any of your databases during the rotation, you will need
to reconfigure them again before transitioning to
standby from the
rollback
phase.
Enter the standby phase manually:
tctl auth rotate --manual --type=type --phase=standby
Updated rotation phase to "standby". To check status use 'tctl status'
It is very unlikely that you will lose database connectivity during a
db CA
rotation and need to rollback.
However, when rotating your
db_client CA you will definitely lose access to
any database that was not reconfigured during the
init rotation phase.
If you are unable to reconfigure those databases, then rolling back should
restore access to them immediately.
Further reading
- How the Teleport Certificate Authority works.
- How Teleport Agents work.