The question:
I’m trying to find the least intrusive way to bind a new SSL certificate to an Always On Availability Group 3-node cluster. After applying the new certificate, a message appears that SQL Server will need to be restarted for the change to take effect.
Is failing over a group sufficient to bind the new certificate? Or does SQL Server have to be restarted from the Cluster Manager?
Thanks for any help.
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
Is failing over a group sufficient to bind the new certificate?
Unfortunately it is not. Failing over an AG does not restart the instance, rather it causes state changes to the AG in both the cluster and SQL Server.
Or does SQL Server have to be restarted from the Cluster Manager?
Please do not use FCM with AGs as it isn’t supported and can cause there to be synchronization issues between SQL Server and the Cluster, needing to be reset by stopping all instances of SQL Server and one by one bringing them back online. Note that this is only for AGs and not for FCIs which is perfectly fine to use FCM (unless the FCI also hosts AGs).
Stop the services via SSCM, if possible, or other service interaction options such as PowerShell, .Net remoting, etc., which you could start with the secondary replicas first and then fail over, then restart the old primary.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0