docker/ucp regen-certs

Regenerate keys and certificates for a UCP controller

Usage

$ docker run --rm -it \
     --name ucp \
     -v /var/run/docker.sock:/var/run/docker.sock \
     docker/ucp \
     regen-certs [command options]

Description

This utility will generate new private keys and certs for UCP controllers.

By default it will leave the Root CA keys and certs intact and only regenerate server and client certs on the controller. This can be used to change the list of SANs within the certs after install and refresh the expiration of the certificates.

You may regenerate the Root CAs with this tool using “--root-ca-only” then follow a multi-step procedure to regenerate all certs in the cluster.

WARNING: REGENERATING THE ROOT CAs IS A DISRUPTIVE OPERATION!

First run “regen-certs --root-ca-only” on one controller. If this is an HA cluster, then perform a “backup --root-ca-only” on this controller, and “restore --root-ca-only” on all other controllers. Then on all of the controllers run “regen-certs” during which the cluster will become unavailable until 1/2+1 of the controllers are running with new certs. Once all controllers have new certs, restart all the docker daemons on the controller nodes. Once the cluster controllers have recovered, run “join --fresh-install” on all non-controller nodes to re-join them to the cluster. After completing the process, all user bundles will be invalid and new bundles must be downloaded.

Options