Set up SSL/TLS encryption, authentication, and advanced security policies for CockroachDB 24.3 in production environments with certificate management and cluster monitoring.
Prerequisites
- Root or sudo access to the server
- At least 4GB of RAM and 20GB of disk space
- Network connectivity between cluster nodes
- Basic understanding of SSL/TLS certificates
What this solves
CockroachDB requires SSL/TLS encryption and proper authentication to secure distributed database clusters in production. This tutorial configures end-to-end encryption, certificate-based authentication, user management, and security monitoring for CockroachDB 24.3 clusters.
Step-by-step installation and configuration
Install CockroachDB 24.3 with security prerequisites
Download and install the latest CockroachDB binary with required security tools.
curl https://binaries.cockroachdb.com/cockroach-v24.3.0.linux-amd64.tgz | tar -xz
sudo cp -i cockroach-v24.3.0.linux-amd64/cockroach /usr/local/bin/
sudo chmod +x /usr/local/bin/cockroach
sudo apt update && sudo apt install -y ca-certificates opensslCreate CockroachDB system user and directories
Set up dedicated user and secure directory structure for CockroachDB with proper permissions.
sudo useradd --system --shell /bin/bash --home /var/lib/cockroach --create-home cockroach
sudo mkdir -p /var/lib/cockroach/{certs,data,logs}
sudo chown -R cockroach:cockroach /var/lib/cockroach
sudo chmod 700 /var/lib/cockroach/certs
sudo chmod 755 /var/lib/cockroach/data
sudo chmod 755 /var/lib/cockroach/logsGenerate Certificate Authority (CA) certificate
Create a Certificate Authority for signing cluster and client certificates.
sudo -u cockroach cockroach cert create-ca \
--certs-dir=/var/lib/cockroach/certs \
--ca-key=/var/lib/cockroach/certs/ca.key \
--key-size=4096 \
--lifetime=8760hCreate node certificates for cluster nodes
Generate SSL certificates for each CockroachDB node in the cluster with proper hostnames.
sudo -u cockroach cockroach cert create-node \
localhost \
$(hostname -f) \
$(hostname -i) \
127.0.0.1 \
203.0.113.10 \
203.0.113.11 \
203.0.113.12 \
cockroach-1.example.com \
cockroach-2.example.com \
cockroach-3.example.com \
--certs-dir=/var/lib/cockroach/certs \
--ca-key=/var/lib/cockroach/certs/ca.key \
--key-size=4096 \
--lifetime=8760hCreate root client certificate
Generate client certificate for the root administrative user with proper permissions.
sudo -u cockroach cockroach cert create-client \
root \
--certs-dir=/var/lib/cockroach/certs \
--ca-key=/var/lib/cockroach/certs/ca.key \
--key-size=4096 \
--lifetime=8760h
sudo chmod 600 /var/lib/cockroach/certs/client.root.key
sudo chmod 644 /var/lib/cockroach/certs/client.root.crtConfigure CockroachDB systemd service
Create systemd service file with security hardening and SSL configuration.
[Unit]
Description=CockroachDB distributed SQL database
Requires=network.target
After=network.target
[Service]
Type=notify
User=cockroach
Group=cockroach
ExecStart=/usr/local/bin/cockroach start \
--certs-dir=/var/lib/cockroach/certs \
--store=/var/lib/cockroach/data \
--log-dir=/var/lib/cockroach/logs \
--listen-addr=0.0.0.0:26257 \
--http-addr=0.0.0.0:8080 \
--join=203.0.113.10:26257,203.0.113.11:26257,203.0.113.12:26257 \
--cache=25% \
--max-sql-memory=25% \
--background
TimeoutStopSec=60
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
SyslogIdentifier=cockroach
Security hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/cockroach
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.targetConfigure firewall rules for CockroachDB
Open required ports for secure cluster communication and web UI access.
sudo ufw allow from 203.0.113.0/24 to any port 26257 proto tcp comment 'CockroachDB cluster'
sudo ufw allow from 203.0.113.0/24 to any port 8080 proto tcp comment 'CockroachDB web UI'
sudo ufw reloadStart CockroachDB service and initialize cluster
Enable the service and initialize the secure cluster with authentication enabled.
sudo systemctl daemon-reload
sudo systemctl enable cockroach
sudo systemctl start cockroach
Initialize cluster (run on first node only)
sudo -u cockroach cockroach init \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257Create application database users with certificates
Set up dedicated application users with certificate-based authentication and role-based access.
# Create application user certificate
sudo -u cockroach cockroach cert create-client \
app_user \
--certs-dir=/var/lib/cockroach/certs \
--ca-key=/var/lib/cockroach/certs/ca.key \
--key-size=4096 \
--lifetime=8760h
Connect as root and create users
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="CREATE USER IF NOT EXISTS app_user;"
Create read-only user
sudo -u cockroach cockroach cert create-client \
readonly_user \
--certs-dir=/var/lib/cockroach/certs \
--ca-key=/var/lib/cockroach/certs/ca.key \
--key-size=4096 \
--lifetime=8760h
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="CREATE USER IF NOT EXISTS readonly_user;"Configure role-based access control (RBAC)
Set up granular permissions and roles for different application users and administrators.
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="
CREATE ROLE IF NOT EXISTS app_role;
CREATE ROLE IF NOT EXISTS readonly_role;
-- Grant permissions to roles
GRANT CREATE, SELECT, INSERT, UPDATE, DELETE ON DATABASE defaultdb TO app_role;
GRANT SELECT ON DATABASE defaultdb TO readonly_role;
-- Assign roles to users
GRANT app_role TO app_user;
GRANT readonly_role TO readonly_user;
-- Create application database
CREATE DATABASE IF NOT EXISTS myapp;
GRANT ALL ON DATABASE myapp TO app_role;
GRANT SELECT ON DATABASE myapp TO readonly_role;
-- Set session timeout for security
SET CLUSTER SETTING server.auth_log.sql_sessions.enabled = true;
SET CLUSTER SETTING server.auth_log.sql_connections.enabled = true;
SET CLUSTER SETTING sql.conn.max_lifetime = '1h';
"Configure cluster security settings
Enable security features including audit logging, connection limits, and encryption at rest.
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="
-- Enable audit logging
SET CLUSTER SETTING sql.log.admin_audit.enabled = true;
SET CLUSTER SETTING sql.log.user_audit.enabled = true;
-- Set connection limits
SET CLUSTER SETTING server.max_connections_per_gateway = 1000;
SET CLUSTER SETTING sql.conn.max_lifetime = '2h';
-- Enable enterprise features trial
SET CLUSTER SETTING cluster.organization = 'Example Organization';
SET CLUSTER SETTING enterprise.license = '';
-- Configure backup settings
SET CLUSTER SETTING backup.table_statistics.enabled = true;
-- Set secure defaults
SET CLUSTER SETTING sql.defaults.password_encryption = 'scram-sha-256';
SET CLUSTER SETTING server.host_based_authentication.configuration = 'host all all all cert-password';
"Configure web UI access with SSL
Set up secure web UI access with certificate authentication and admin user creation.
# Create web UI admin user with password
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="CREATE USER admin_user WITH PASSWORD 'StrongPassword123!';"
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="GRANT admin TO admin_user;"
Set web UI session timeout
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="SET CLUSTER SETTING server.web_session_timeout = '1h';"Configure log rotation and monitoring
Set up log rotation for security audit logs and configure monitoring endpoints.
/var/lib/cockroach/logs/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 644 cockroach cockroach
postrotate
/bin/systemctl reload cockroach
endscript
}# Test log rotation
sudo logrotate -f /etc/logrotate.d/cockroach
Configure systemd journal retention
sudo mkdir -p /etc/systemd/journald.conf.d
echo -e "[Journal]\nMaxRetentionSec=30day\nMaxFileSec=100M" | sudo tee /etc/systemd/journald.conf.d/cockroach.conf
sudo systemctl restart systemd-journaldSet up backup encryption and automation
Configure encrypted backups with proper access controls and automated scheduling.
sudo mkdir -p /var/backups/cockroach
sudo chown cockroach:cockroach /var/backups/cockroach
sudo chmod 700 /var/backups/cockroach
Create backup script with encryption
sudo tee /usr/local/bin/cockroach-backup.sh > /dev/null << 'EOF'
#!/bin/bash
set -euo pipefail
BACKUP_DIR="/var/backups/cockroach"
DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_FILE="${BACKUP_DIR}/backup_${DATE}.sql"
ENCRYPTED_FILE="${BACKUP_FILE}.gpg"
Generate GPG key for backups if not exists
if ! sudo -u cockroach gpg --list-secret-keys | grep -q "cockroach-backup"; then
sudo -u cockroach gpg --batch --full-generate-key << GPG_EOF
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: CockroachDB Backup
Name-Email: cockroach-backup@example.com
Expire-Date: 0
%no-protection
%commit
GPG_EOF
fi
Create backup
sudo -u cockroach cockroach dump \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
defaultdb > "$BACKUP_FILE"
Encrypt backup
sudo -u cockroach gpg --trust-model always --encrypt \
--recipient "cockroach-backup@example.com" \
--output "$ENCRYPTED_FILE" \
"$BACKUP_FILE"
Remove unencrypted backup
rm "$BACKUP_FILE"
Clean old backups (keep 30 days)
find "$BACKUP_DIR" -name "backup_*.sql.gpg" -mtime +30 -delete
echo "Backup completed: $ENCRYPTED_FILE"
EOF
sudo chmod +x /usr/local/bin/cockroach-backup.sh
sudo chown cockroach:cockroach /usr/local/bin/cockroach-backup.shCreate systemd timer for automated backups
Set up automated daily backups using systemd timers with proper logging.
[Unit]
Description=CockroachDB Backup Service
Wants=network-online.target
After=network-online.target cockroach.service
[Service]
Type=oneshot
User=root
ExecStart=/usr/local/bin/cockroach-backup.sh
StandardOutput=journal
StandardError=journal
[Unit]
Description=Run CockroachDB backup daily
Requires=cockroach-backup.service
[Timer]
OnCalendar=daily
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
sudo systemctl daemon-reload
sudo systemctl enable cockroach-backup.timer
sudo systemctl start cockroach-backup.timer
sudo systemctl status cockroach-backup.timerVerify your setup
Test SSL connections, certificate authentication, and security configurations.
# Check cluster status
sudo -u cockroach cockroach node status \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257
Test SSL connection
echo "SELECT version();" | sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257
Verify certificate-based authentication
echo "SELECT current_user();" | sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--user=app_user \
--host=localhost:26257
Check audit logging
sudo tail -f /var/lib/cockroach/logs/cockroach.log | grep -i audit
Test web UI access (should show SSL certificate)
curl -k --cert /var/lib/cockroach/certs/client.root.crt \
--key /var/lib/cockroach/certs/client.root.key \
https://localhost:8080/
Verify backup timer
sudo systemctl list-timers cockroach-backup.timerConfigure cluster monitoring
For production environments, integrate with monitoring systems to track security events and cluster health.
# Enable Prometheus metrics endpoint
sudo -u cockroach cockroach sql \
--certs-dir=/var/lib/cockroach/certs \
--host=localhost:26257 \
--execute="SET CLUSTER SETTING server.remote_debugging.mode = 'any';"
Configure metrics collection (requires Prometheus)
curl -k --cert /var/lib/cockroach/certs/client.root.crt \
--key /var/lib/cockroach/certs/client.root.key \
https://localhost:8080/_status/vars
Check security audit logs
sudo journalctl -u cockroach -f | grep -E '(authentication|authorization|audit)'Consider integrating with CockroachDB backup and disaster recovery automation for comprehensive data protection.
Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Connection refused on port 26257 | Firewall blocking cluster communication | Configure firewall rules for cluster subnet: sudo ufw allow from cluster_subnet to any port 26257 |
| Certificate verification failed | Hostname mismatch in node certificate | Recreate node certificate with correct hostnames and IP addresses |
| Permission denied accessing certificate files | Incorrect file ownership or permissions | sudo chown cockroach:cockroach /var/lib/cockroach/certs/ and sudo chmod 600 /var/lib/cockroach/certs/.key |
| Web UI shows certificate error | Browser doesn't trust self-signed CA | Import CA certificate to browser or use --insecure flag for testing only |
| Backup service fails | Missing GPG key or incorrect permissions | Check backup script permissions: sudo systemctl status cockroach-backup.service |
| High memory usage | Default cache settings too aggressive | Adjust --cache and --max-sql-memory in systemd service file |
Security warning: Never disable SSL in production environments. Always use certificate-based authentication and regularly rotate certificates. Audit logs should be monitored for unauthorized access attempts.
Next steps
- Optimize CockroachDB 24.3 performance with advanced tuning and configuration
- Configure CockroachDB 24.3 multi-region deployment with high availability clustering
- Set up Prometheus monitoring for CockroachDB cluster metrics and alerting
- Configure connection pooling for CockroachDB with PgBouncer and HAProxy
Running this in production?
Need this managed? Running distributed databases at scale adds complexity with certificate rotation, monitoring, backup validation, and incident response. Our managed platform covers monitoring, backups and 24/7 response by default.
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Configuration
COCKROACH_VERSION="24.3.0"
COCKROACH_USER="cockroach"
COCKROACH_HOME="/var/lib/cockroach"
CLUSTER_IPS="${CLUSTER_IPS:-}"
NODE_HOSTNAMES="${NODE_HOSTNAMES:-}"
# Usage function
usage() {
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " --cluster-ips=IP1,IP2,IP3 Comma-separated cluster IPs"
echo " --hostnames=HOST1,HOST2 Comma-separated hostnames"
echo " --help Show this help message"
echo ""
echo "Example:"
echo " $0 --cluster-ips=203.0.113.10,203.0.113.11,203.0.113.12 --hostnames=cockroach-1.example.com,cockroach-2.example.com,cockroach-3.example.com"
}
# Parse arguments
while [[ $# -gt 0 ]]; do
case $1 in
--cluster-ips=*)
CLUSTER_IPS="${1#*=}"
shift
;;
--hostnames=*)
NODE_HOSTNAMES="${1#*=}"
shift
;;
--help)
usage
exit 0
;;
*)
echo -e "${RED}Error: Unknown option $1${NC}"
usage
exit 1
;;
esac
done
# Cleanup function
cleanup() {
echo -e "${RED}Error occurred. Cleaning up...${NC}"
systemctl stop cockroachdb 2>/dev/null || true
systemctl disable cockroachdb 2>/dev/null || true
rm -f /etc/systemd/system/cockroachdb.service
userdel -r "$COCKROACH_USER" 2>/dev/null || true
rm -f /usr/local/bin/cockroach
}
trap cleanup ERR
echo_info() {
echo -e "${GREEN}$1${NC}"
}
echo_warn() {
echo -e "${YELLOW}$1${NC}"
}
echo_error() {
echo -e "${RED}$1${NC}"
}
# Check prerequisites
if [[ $EUID -ne 0 ]]; then
echo_error "This script must be run as root"
exit 1
fi
# Detect OS distribution
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_UPDATE="apt update"
PKG_INSTALL="apt install -y"
FIREWALL_CMD="ufw"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_UPDATE="dnf update -y"
PKG_INSTALL="dnf install -y"
FIREWALL_CMD="firewall-cmd"
;;
amzn)
PKG_MGR="yum"
PKG_UPDATE="yum update -y"
PKG_INSTALL="yum install -y"
FIREWALL_CMD="firewall-cmd"
;;
*)
echo_error "Unsupported distribution: $ID"
exit 1
;;
esac
else
echo_error "Cannot detect OS distribution"
exit 1
fi
echo_info "[1/9] Installing CockroachDB 24.3 with security prerequisites..."
# Update package manager
$PKG_UPDATE
# Install required packages
$PKG_INSTALL ca-certificates openssl curl tar
# Download and install CockroachDB
cd /tmp
curl -L "https://binaries.cockroachdb.com/cockroach-v${COCKROACH_VERSION}.linux-amd64.tgz" | tar -xz
cp "cockroach-v${COCKROACH_VERSION}.linux-amd64/cockroach" /usr/local/bin/
chmod 755 /usr/local/bin/cockroach
rm -rf "cockroach-v${COCKROACH_VERSION}.linux-amd64"
echo_info "[2/9] Creating CockroachDB system user and directories..."
# Create system user
useradd --system --shell /bin/bash --home "$COCKROACH_HOME" --create-home "$COCKROACH_USER" || true
# Create directory structure
mkdir -p "${COCKROACH_HOME}"/{certs,data,logs}
chown -R "${COCKROACH_USER}:${COCKROACH_USER}" "$COCKROACH_HOME"
chmod 700 "${COCKROACH_HOME}/certs"
chmod 755 "${COCKROACH_HOME}/data"
chmod 755 "${COCKROACH_HOME}/logs"
echo_info "[3/9] Generating Certificate Authority (CA) certificate..."
# Create CA certificate
sudo -u "$COCKROACH_USER" cockroach cert create-ca \
--certs-dir="${COCKROACH_HOME}/certs" \
--ca-key="${COCKROACH_HOME}/certs/ca.key" \
--key-size=4096 \
--lifetime=8760h
echo_info "[4/9] Creating node certificates for cluster nodes..."
# Build node certificate command
CERT_CMD="sudo -u $COCKROACH_USER cockroach cert create-node localhost $(hostname -f) $(hostname -i) 127.0.0.1"
# Add cluster IPs if provided
if [[ -n "$CLUSTER_IPS" ]]; then
IFS=',' read -ra IPS <<< "$CLUSTER_IPS"
for ip in "${IPS[@]}"; do
CERT_CMD="$CERT_CMD $ip"
done
fi
# Add hostnames if provided
if [[ -n "$NODE_HOSTNAMES" ]]; then
IFS=',' read -ra HOSTS <<< "$NODE_HOSTNAMES"
for host in "${HOSTS[@]}"; do
CERT_CMD="$CERT_CMD $host"
done
fi
# Add certificate options
CERT_CMD="$CERT_CMD --certs-dir=${COCKROACH_HOME}/certs --ca-key=${COCKROACH_HOME}/certs/ca.key --key-size=4096 --lifetime=8760h"
# Execute certificate creation
eval "$CERT_CMD"
echo_info "[5/9] Creating root client certificate..."
# Create root client certificate
sudo -u "$COCKROACH_USER" cockroach cert create-client \
root \
--certs-dir="${COCKROACH_HOME}/certs" \
--ca-key="${COCKROACH_HOME}/certs/ca.key" \
--key-size=4096 \
--lifetime=8760h
# Set proper permissions
chmod 600 "${COCKROACH_HOME}/certs/client.root.key"
chmod 644 "${COCKROACH_HOME}/certs/client.root.crt"
echo_info "[6/9] Configuring CockroachDB systemd service..."
# Build join string
JOIN_STRING=""
if [[ -n "$CLUSTER_IPS" ]]; then
IFS=',' read -ra IPS <<< "$CLUSTER_IPS"
for ip in "${IPS[@]}"; do
if [[ -n "$JOIN_STRING" ]]; then
JOIN_STRING="$JOIN_STRING,"
fi
JOIN_STRING="$JOIN_STRING$ip:26257"
done
fi
# Create systemd service file
cat > /etc/systemd/system/cockroachdb.service << EOF
[Unit]
Description=CockroachDB distributed SQL database
Requires=network.target
After=network.target
[Service]
Type=notify
User=$COCKROACH_USER
Group=$COCKROACH_USER
ExecStart=/usr/local/bin/cockroach start \\
--certs-dir=$COCKROACH_HOME/certs \\
--store=$COCKROACH_HOME/data \\
--log-dir=$COCKROACH_HOME/logs \\
--listen-addr=0.0.0.0:26257 \\
--http-addr=0.0.0.0:8080 \\$(if [[ -n "$JOIN_STRING" ]]; then echo "
--join=$JOIN_STRING \\"; fi)
--cache=25% \\
--max-sql-memory=25% \\
--background
TimeoutStopSec=60
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
SyslogIdentifier=cockroach
# Security hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=$COCKROACH_HOME
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable cockroachdb
echo_info "[7/9] Configuring firewall rules..."
# Configure firewall based on distribution
if [[ "$FIREWALL_CMD" == "ufw" ]]; then
# Ubuntu/Debian firewall configuration
ufw --force enable
if [[ -n "$CLUSTER_IPS" ]]; then
IFS=',' read -ra IPS <<< "$CLUSTER_IPS"
for ip in "${IPS[@]}"; do
ufw allow from "$ip" to any port 26257 proto tcp comment 'CockroachDB cluster'
done
fi
ufw allow 8080/tcp comment 'CockroachDB web UI'
elif [[ "$FIREWALL_CMD" == "firewall-cmd" ]]; then
# RHEL-based firewall configuration
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --permanent --add-port=26257/tcp
firewall-cmd --permanent --add-port=8080/tcp
if [[ -n "$CLUSTER_IPS" ]]; then
IFS=',' read -ra IPS <<< "$CLUSTER_IPS"
for ip in "${IPS[@]}"; do
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='$ip' port protocol='tcp' port='26257' accept"
done
fi
firewall-cmd --reload
fi
echo_info "[8/9] Starting CockroachDB service..."
systemctl start cockroachdb
# Wait for service to start
sleep 5
echo_info "[9/9] Verifying installation..."
# Verify service status
if systemctl is-active --quiet cockroachdb; then
echo_info "✓ CockroachDB service is running"
else
echo_error "✗ CockroachDB service failed to start"
systemctl status cockroachdb
exit 1
fi
# Verify certificates exist
if [[ -f "${COCKROACH_HOME}/certs/ca.crt" && -f "${COCKROACH_HOME}/certs/node.crt" && -f "${COCKROACH_HOME}/certs/client.root.crt" ]]; then
echo_info "✓ SSL certificates created successfully"
else
echo_error "✗ SSL certificates missing"
exit 1
fi
# Verify binary installation
if command -v cockroach &> /dev/null; then
echo_info "✓ CockroachDB binary installed: $(cockroach version --build-tag)"
else
echo_error "✗ CockroachDB binary not found"
exit 1
fi
echo_info ""
echo_info "CockroachDB SSL encryption and security hardening complete!"
echo_info ""
echo_info "Next steps:"
echo_info "1. Initialize the cluster: sudo -u $COCKROACH_USER cockroach init --certs-dir=$COCKROACH_HOME/certs"
echo_info "2. Access web UI: https://$(hostname -f):8080"
echo_info "3. Connect with SSL: cockroach sql --certs-dir=$COCKROACH_HOME/certs"
echo_info ""
echo_warn "Remember to:"
echo_warn "- Copy CA certificate to other cluster nodes"
echo_warn "- Configure cluster initialization on the first node"
echo_warn "- Set up database users and permissions"Review the script before running. Execute with: bash install.sh