Postgres Flex - SSH Certificate Renewals

Hey everyone,

Many users leveraging the PG Flex implementation have been encountering issues with the manual failover process and various internal repmgr commands. The reason for these issues is the expiration of the underlying SSH certificates required for these operations…

To see if your certificates have expired, you can run the following command within your Machine:

fly ssh console --app <pg-app-name>
ssh-keygen -L -f ~/.ssh/id_rsa-cert.pub

The output you’re looking for is the:

Valid: from 2024-05-29T15:18:03 to 2124-05-30T16:18:03

To help you address this issue, we have introduced a new fly pg renew-certs command that will renew these certificates for you.

$ fly pg renew-certs --help

Usage:
  fly postgres renew-certs [flags]

Flags:
  -a, --app string       Application name
  -c, --config string    Path to application configuration file
  -h, --help             help for renew-certs
      --valid-days int   The number of days the certificate should be valid for. (default 36525)

Once the certificates have been renewed, you will need to issue a new App deploy to apply the new certificates to your existing Machines. If you have never performed a deploy for your Postgres App, no problem, instructions will be provided after the certificate renewal command has been processed.

If you have any questions, just let me know!

6 Likes