Refresh Sunpike CA

This document contains the workaround solutions for the Sunpike CA issue i.e, Qbert is not able to communicate because the certificate TTL being requested for Sunpike is more than the expiry of the CA.

Option: 1- To use the existing CA, but reduce the TTL that the certs are signed with, execute the following steps inside the DU VM as root:

DU VM:
Copy

Option: 2- To Recreate the CA with a higher TTL value, execute the following steps inside the DU VM as root:

This option is only supported for LTS1-patch14[v-5.3.0-2710638] version and above.
DU VM
Copy

While executing step vault secrets disable ${VAULT_SECRET_ENGINE} if Vault fails to disabled with following error:

Error disabling secrets engine at pki/: Delete http://localhost:8200/v1/sys/mounts/pki: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

then, please use the following workaround to move (and backup) the vault secrets data first, before running the same set of steps again (including disabling the vault secrets):

# /usr/local/bin/vault secrets move pki pki_backup

Continue to the following steps:
DU VM (conti.)
Copy
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Management Plane Upgrade Fails with "Connection timed out" Error.

© 2025 Platform9. All Rights Reserved

On This Page
Refresh Sunpike CAOption: 1- To use the existing CA, but reduce the TTL that the certs are signed with, execute the following steps inside the DU VM as root:Option: 2- To Recreate the CA with a higher TTL value, execute the following steps inside the DU VM as root: