# Refresh Sunpike CA This document contains the workaround solutions for the Sunpike CA issue i.e, Qbert is not able to communicate because the certificate TTL being requested for Sunpike is more than the expiry of the CA. #### **Option: 1-** To use the existing CA, but reduce the TTL that the certs are signed with, execute the following steps inside the DU VM as root: {% tabs %} {% tab title="DU VM:" %} ```bash export VAULT_ADDR=http://localhost:8200 export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'") /usr/local/bin/vault write "pki/roles/sunpike" max_ttl=2920h allow_any_name=true allow_server=false allow_client=true enforce_hostnames=false systemctl restart pf9-qbert ``` {% endtab %} {% endtabs %} #### **Option: 2**- To Recreate the CA with a higher TTL value, execute the following steps inside the DU VM as root: {% hint style="info" %} **Info** This option is only supported for LTS1-patch14\[v-5.3.0-2710638] version and above. {% endhint %} {% tabs %} {% tab title="DU VM" %} ```java export VAULT_ADDR=http://localhost:8200 export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'") export VAULT_SECRET_ENGINE=pki vault secrets disable ${VAULT_SECRET_ENGINE} ``` {% endtab %} {% endtabs %} {% hint style="warning" %} **Warning** While executing step `vault secrets disable ${VAULT_SECRET_ENGINE}` if Vault fails to disabled with following error: `Error disabling secrets engine at pki/: Delete http://localhost:8200/v1/sys/mounts/pki: net/http: request canceled (Client.Timeout exceeded while awaiting headers)` then, please use the following workaround to move (and backup) the vault secrets data first, before running the same set of steps again (including disabling the vault secrets): `# /usr/local/bin/vault secrets move pki pki_backup` Continue to the following steps: {% endhint %} {% tabs %} {% tab title="DU VM (conti.)" %} ```bash vault secrets enable pki || true vault secrets tune -max-lease-ttl=87600h pki vault write pki/root/generate/internal \ common_name=sunpike \ ttl=87600h || true vault write pki/config/urls \ issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \ crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl" vault write pki/roles/sunpike \ allow_server=false \ allow_client=true \ allow_any_name=true \ enforce_hostnames=false \ max_ttl=8770h systemctl restart pf9-vault systemctl restart pf9-qbert systemctl restart sunpike-kube-apiserver ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://platform9.com/kb/smcp/solution/refresh-sunpike-ca.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.