ca

Important

You must have access to a recent backup of your MKE instance to run the ca command.

With the ca command you can make changes to the material of MKE Root CA servers. Specifically, you can set the server material to rotate automatically or you can replace it with your own certificate and private key.


The ca command must be run on a manager node:

docker container run --rm -it \
  --name ucp \
  -v /var/run/docker.sock:/var/run/docker.sock \
  mirantis/ucp:3.x.y \
  ca <command-options>

You can use the ca command with a provided Root CA certificate and key by bind-mounting these credentials to the CLI container at /ca/cert.pem and /ca/key.pem, respectively:

docker container run -it --rm \
  --name ucp \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /path/to/cert.pem:/ca/cert.pem \
  -v /path/to/key.pem:/ca/key.pem \
  mirantis/ucp:3.x.y \
  ca <command-options>

The requirements for doing this are:

  • The MKE Cluster Root CA certificate must have swarm-ca as its common name.

  • The MKE Client Root CA certificate must have UCP Client Root CA as its common name.

  • The certificate must be a self-signed root certificate, and intermediate certificates are not allowed.

  • The certificate and key must be in PEM format without a passphrase.

  • The MKE etcd Root CA certificate must have MKE etcd Root CA as its common name.

Finally, to apply the certificates, you must reboot the manager nodes one at a time, making sure to reboot the leader node last.

Note

If there are unhealthy nodes in the cluster, CA rotation cannot complete. If the rotation is hanging, you can run the following command to determine whether any nodes are down or are otherwise unable to rotate TLS certificates:

docker node ls --format "{{.ID}} {{.Hostname}} {{.Status}} {{.TLSStatus}}"

Options

Option

Description

--debug, -D

Enables debug mode.

--jsonlog

Produces JSON-formatted output for easier parsing.

--cluster

Manipulates MKE Cluster Root CA.

--client

Manipulates MKE Client Root CA.

--rotate

Generates a new root CA certificate and key automatically.

Default: false

--force-recent-backup

Forces the CA change to occur even if the system does not have a recent backup.

Default: false

--etcd

Manipulates MKE etcd Root CA.