search
Ctrlk

Refresh Sunpike CA

This document contains the workaround solutions for the Sunpike CA issue i.e, Qbert is not able to communicate because the certificate TTL being requested for Sunpike is more than the expiry of the CA.

hashtag
Option: 1- To use the existing CA, but reduce the TTL that the certs are signed with, execute the following steps inside the DU VM as root:

export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
/usr/local/bin/vault write "pki/roles/sunpike" max_ttl=2920h allow_any_name=true allow_server=false allow_client=true enforce_hostnames=false
systemctl restart pf9-qbert

hashtag
Option: 2- To Recreate the CA with a higher TTL value, execute the following steps inside the DU VM as root:

circle-info

Info

This option is only supported for LTS1-patch14[v-5.3.0-2710638] version and above.

export VAULT_ADDR=http://localhost:8200
export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
export VAULT_SECRET_ENGINE=pki
vault secrets disable ${VAULT_SECRET_ENGINE}
circle-exclamation

Warning

While executing step vault secrets disable ${VAULT_SECRET_ENGINE} if Vault fails to disabled with following error:

Error disabling secrets engine at pki/: Delete http://localhost:8200/v1/sys/mounts/pki: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

then, please use the following workaround to move (and backup) the vault secrets data first, before running the same set of steps again (including disabling the vault secrets):

# /usr/local/bin/vault secrets move pki pki_backup

Continue to the following steps:

PreviousRefresh Cluster CANextManagement Plane Upgrade Fails with "Connection timed out" Error.

Last updated