Server Rename: certmgr-01 → vault-01

Rename the Vault server from certmgr-01 to vault-01 for enterprise HA naming (vault-01, vault-02, vault-03).

Prerequisites

SSH access to certmgr-01
SSH access to bind-01
Workstation SSH config access

DNS is now managed via BIND (bind-01/bind-02). VyOS forwards to BIND.

Quick Reference: Key Patterns

Operation Command Notes

Operation	Command	Notes
Preview sed changes	`sed -n 's/old/new/p' file`	Shows what WOULD change without modifying
Check file for pattern	`awk '/pattern/ \{print NR": "$0}' file`	NR = line number, $0 = full line
Range pattern (block)	`awk '/start/,/end/ \{print NR": "$0}' file`	Print from start pattern to end pattern
SOA record extraction	`awk '/SOA/,/\)/ \{print NR": "$0}' zone`	SOA spans multiple lines until closing paren
Character class	`awk '/vault-0[12]/ {print}'`	Matches vault-01 OR vault-02
Alternation	`awk '/vault-01\|vault-02/ {print}'`	Pipe = OR (escape in awk)
Query JSON like SQL	`jq '.[] \| select(.field \| test("pattern"))'`	jq = query language for JSON

Preview sed changes

sed -n 's/old/new/p' file

Shows what WOULD change without modifying

Check file for pattern

awk '/pattern/ \{print NR": "$0}' file

NR = line number, $0 = full line

Range pattern (block)

awk '/start/,/end/ \{print NR": "$0}' file

Print from start pattern to end pattern

SOA record extraction

awk '/SOA/,/\)/ \{print NR": "$0}' zone

SOA spans multiple lines until closing paren

Character class

awk '/vault-0[12]/ {print}'

Matches vault-01 OR vault-02

Alternation

awk '/vault-01|vault-02/ {print}'

Pipe = OR (escape in awk)

Query JSON like SQL

jq '.[] | select(.field | test("pattern"))'

jq = query language for JSON

Phase 1: Rename VM Hostname

1.1 SSH to Current Server

ssh certmgr-01

1.2 Set New Hostname

sudo hostnamectl set-hostname vault-01.inside.domusdigitalis.dev

1.3 Update /etc/hosts

Check current state:

awk '/certmgr-01/ {print NR": "$0}' /etc/hosts

If entries exist, preview changes:

sudo sed -n 's/certmgr-01/vault-01/p' /etc/hosts

Apply changes (if any):

sudo sed -i 's/certmgr-01/vault-01/g' /etc/hosts

1.4 Add IP Mapping

If no existing entry, add one:

echo "10.50.1.60  vault-01.inside.domusdigitalis.dev vault-01" | sudo tee -a /etc/hosts

Verify:

awk '/vault-01/ {print NR": "$0}' /etc/hosts

1.5 Verify Hostname

hostnamectl | awk 'NR <= 5'

Expected Output

   Static hostname: vault-01.inside.domusdigitalis.dev
         Icon name: computer-vm
           Chassis: vm
        Machine ID: ...
           Boot ID: ...

Test local resolution:

getent hosts vault-01

Expected Output

10.50.1.60      vault-01.inside.domusdigitalis.dev vault-01

Phase 2: Update BIND DNS

2.1 SSH to DNS Server

ssh bind-01

2.2 Check Forward Zone Current State

sudo awk '/certmgr-01/ {print NR": "$0}' /var/named/inside.domusdigitalis.dev.zone

Preview sed change:

sudo sed -n 's/certmgr-01/vault-01/p' /var/named/inside.domusdigitalis.dev.zone

2.3 Check SOA Serial (Multi-line Record)

The SOA record spans multiple lines. Use range pattern:

sudo awk '/SOA/,/\)/ {print NR": "$0}' /var/named/inside.domusdigitalis.dev.zone

Expected Output

2: @   IN  SOA     bind-01.inside.domusdigitalis.dev. admin.inside.domusdigitalis.dev. (
3:                 2026021601  ; Serial
4:                 3600        ; Refresh
...

Range pattern '/start/,/end/' prints all lines from first match of start to first match of end. SOA records end with ).

2.4 Apply Forward Zone Changes

sudo sed -i 's/certmgr-01/vault-01/g' /var/named/inside.domusdigitalis.dev.zone

Increment SOA serial (format: YYYYMMDDNN):

sudo sed -i 's/2026021601/2026022001/' /var/named/inside.domusdigitalis.dev.zone

Verify both changes:

sudo awk '/vault-01|SOA/,/\)/ {print NR": "$0}' /var/named/inside.domusdigitalis.dev.zone | head -10

2.5 Find Reverse Zone File

Zone files may have different naming conventions. Find the actual file:

awk '/zone.*arpa|file/ {print NR": "$0}' /etc/named.conf

Or check named.conf for all zones:

awk '/zone.*inside|file/ {print NR": "$0}' /etc/named.conf

2.6 Check Reverse Zone Current State

sudo awk '/certmgr-01|60.*PTR/ {print NR": "$0}' /var/named/10.50.1.rev

Preview change:

sudo sed -n 's/certmgr-01/vault-01/p' /var/named/10.50.1.rev

2.7 Apply Reverse Zone Changes

sudo sed -i 's/certmgr-01/vault-01/g' /var/named/10.50.1.rev

Check and increment SOA serial:

sudo awk '/SOA/,/\)/ {print NR": "$0}' /var/named/10.50.1.rev

sudo sed -i 's/2026021401/2026022001/' /var/named/10.50.1.rev

Verify:

sudo awk '/vault-01|SOA/,/\)/ {print NR": "$0}' /var/named/10.50.1.rev | head -10

2.8 Validate Zone Syntax

sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone && sudo named-checkzone 1.50.10.in-addr.arpa /var/named/10.50.1.rev

Expected Output

zone inside.domusdigitalis.dev/IN: loaded serial 2026022001
OK
zone 1.50.10.in-addr.arpa/IN: loaded serial 2026022001
OK

2.9 Reload BIND

sudo systemctl reload named && systemctl is-active named

2.10 Verify DNS Resolution

Query BIND directly (bypass cache):

dig +short @127.0.0.1 vault-01.inside.domusdigitalis.dev

dig +short @127.0.0.1 -x 10.50.1.60

DNS Caching: If dig +short -x 10.50.1.60 (without @server) returns old value, your resolver (pfSense) has cached data. TTL (Time To Live) controls how long records are cached. The minimum TTL in the zone (86400 = 24 hours) determines max cache time.

Phase 3: Verify BIND DNS Changes

DNS is managed by BIND (bind-01/bind-02), already updated in Phase 2.

3.1 Verify DNS Resolution from Workstation

dig +short vault-01.inside.domusdigitalis.dev

Expected Output

10.50.1.60

3.2 Verify Reverse DNS

dig +short -x 10.50.1.60

Expected Output

vault-01.inside.domusdigitalis.dev.

3.3 Clear Local DNS Cache (if needed)

VyOS forwards to BIND. If resolution is slow to update:

# Wait for TTL to expire (zone TTL is typically 86400 = 24 hours)
# Or query BIND directly to bypass cache:
dig +short @{bind-ip} vault-01.{domain}

Phase 4: Update Workstation SSH Config

4.1 Check Current SSH Config

View single host block:

awk '/certmgr-01/,/^$/ {print NR": "$0}' ~/.ssh/config

View multiple hosts (character class):

awk '/certmgr-0[12]/,/^$/ {print NR": "$0}' ~/.ssh/config

Character class [12] matches 1 OR 2. Inside brackets, characters are literal (no pipe needed). Use [0-9] for any digit.

4.2 Preview Changes

sed -n 's/certmgr-01/vault-01/p' ~/.ssh/config
sed -n 's/certmgr-02/vault-02/p' ~/.ssh/config

4.3 Apply Changes

sed -i 's/certmgr-01/vault-01/g' ~/.ssh/config
sed -i 's/certmgr-02/vault-02/g' ~/.ssh/config

Verify:

awk '/vault-0[12]/,/^$/ {print NR": "$0}' ~/.ssh/config

4.4 Update Known Hosts

Remove old entries (suppress errors for non-existent):

ssh-keygen -R certmgr-01 2>/dev/null
ssh-keygen -R certmgr-01.inside.domusdigitalis.dev 2>/dev/null
ssh-keygen -R certmgr-02 2>/dev/null
ssh-keygen -R certmgr-02.inside.domusdigitalis.dev 2>/dev/null

4.5 Test SSH

ssh vault-01 "hostname | awk '{print}'"

Expected Output

vault-01.inside.domusdigitalis.dev

Phase 5: Update dsec References

dsec edit d000 dev/vault

Update hostname references from certmgr-01 to vault-01.

Completion Checklist

Phase	Task	Status
1	VM hostname changed to vault-01	[ ]
2	BIND forward and reverse zones updated	[ ]
3	DNS resolution verified (BIND handles DNS)	[ ]
4	Workstation SSH config updated	[ ]
5	dsec references updated	[ ]

Phase

Task

Status

VM hostname changed to vault-01

[ ]

BIND forward and reverse zones updated

[ ]

DNS resolution verified (BIND handles DNS)

[ ]

Workstation SSH config updated

[ ]

dsec references updated

[ ]

Verification

After all phases complete:

ssh vault-01 "hostname && vault status | awk 'NR<=3'"

Expected Output

vault-01.inside.domusdigitalis.dev
Key             Value
---             -----
Seal Type       shamir

Concepts Reference

DNS Zone Concepts

Term	Meaning
Forward Zone	Hostname → IP (A records)
Reverse Zone	IP → Hostname (PTR records)
in-addr.arpa	Reverse DNS namespace (IP octets reversed)
SOA Serial	Version number (YYYYMMDDNN format). Must increment on each change.
TTL	Time To Live - how long resolvers cache records (seconds)

Term

Meaning

Forward Zone

Hostname → IP (A records)

Reverse Zone

IP → Hostname (PTR records)

in-addr.arpa

Reverse DNS namespace (IP octets reversed)

SOA Serial

Version number (YYYYMMDDNN format). Must increment on each change.

TTL

Time To Live - how long resolvers cache records (seconds)

jq vs SQL Comparison

SQL jq Example

SQL	jq	Example
SELECT * FROM table	`.[]`	Iterate all items
WHERE field = 'value'	`select(.field == "value")`	Exact match
WHERE field LIKE '%pattern%'	`select(.field \| test("pattern"))`	Regex match
SELECT field1, field2	`{field1, field2}`	Project specific fields
SELECT field1 \|\| ' ' \|\| field2	`"\(.field1) \(.field2)"`	String interpolation

SELECT * FROM table

.[]

Iterate all items

WHERE field = 'value'

select(.field == "value")

Exact match

WHERE field LIKE '%pattern%'

select(.field | test("pattern"))

Regex match

SELECT field1, field2

{field1, field2}

Project specific fields

SELECT field1 || ' ' || field2

"\(.field1) \(.field2)"

String interpolation

awk Pattern Types

Pattern Syntax Use Case

Pattern	Syntax	Use Case
Simple match	`/pattern/`	Lines containing pattern
Range (block)	`/start/,/end/`	Multi-line blocks (SSH config, SOA records)
Character class	`/[abc]/`	Match any single char: a, b, or c
Negated class	`/[^abc]/`	Match any char EXCEPT a, b, c
Digit range	`/[0-9]/`	Match any digit
Field extraction	`{print $1, $3}`	Print specific columns

Simple match

/pattern/

Lines containing pattern

Range (block)

/start/,/end/

Multi-line blocks (SSH config, SOA records)

Character class

/[abc]/

Match any single char: a, b, or c

Negated class

/[^abc]/

Match any char EXCEPT a, b, c

Digit range

/[0-9]/

Match any digit

Field extraction

{print $1, $3}

Print specific columns

Rollback

If issues occur, reverse the changes:

Restore hostname: sudo hostnamectl set-hostname certmgr-01.inside.domusdigitalis.dev
Restore BIND zones: sudo sed -i 's/vault-01/certmgr-01/g' /var/named/.zone /var/named/.rev
Restore pfSense: netapi pfsense dns update --id <new-id> -h certmgr-01 …
Restore SSH config: sed -i 's/vault-01/certmgr-01/g' ~/.ssh/config

Next Steps

After rename is complete, proceed with:

Vault External TLS Configuration