|
| 1 | +# Updating TLS Certificates for Embedded Cluster Installations |
| 2 | + |
| 3 | +This topic describes how to update custom TLS certificates for Replicated Embedded Cluster installations. |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +For Embedded Cluster installations, the default Replicated KOTS self-signed certificate automatically renews 30 days before the expiration date. |
| 8 | + |
| 9 | +If you have uploaded a custom TLS certificate instead, then no renewal is attempted, even if the certificate is expired. In this case, you must manually upload a new custom certificate. |
| 10 | + |
| 11 | +## Update Custom TLS Certificates |
| 12 | + |
| 13 | +If you are using a custom TLS certificate in Embedded Cluster installations, you manually upload a new certificate when the previous one expires. |
| 14 | + |
| 15 | +:::important |
| 16 | +Adding the `acceptAnonymousUploads` annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again. |
| 17 | + |
| 18 | +Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk. |
| 19 | +::: |
| 20 | + |
| 21 | +To upload a new custom TLS certificate: |
| 22 | + |
| 23 | +1. On the machine where Embedded Cluster is installed, run the following command to start a shell so that you can access the cluster with kubectl: |
| 24 | + |
| 25 | + ```bash |
| 26 | + sudo ./APP_SLUG shell |
| 27 | + ``` |
| 28 | + |
| 29 | +1. In the shell, run the following annotation command to restore the ability to upload new TLS certificates: |
| 30 | + |
| 31 | + ```bash |
| 32 | + kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite |
| 33 | + ``` |
| 34 | + |
| 35 | + :::important |
| 36 | + Adding the `acceptAnonymousUploads` annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again. |
| 37 | + |
| 38 | + Replicated recommends that you complete this upload process quickly to minimize the vulnerability risk. |
| 39 | + ::: |
| 40 | + |
| 41 | +1. Run the following command to get the name of the kurl-proxy server: |
| 42 | + |
| 43 | + ```bash |
| 44 | + kubectl get pods -A | grep kurl-proxy | awk '{print $2}' |
| 45 | + ``` |
| 46 | + |
| 47 | +1. Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs. |
| 48 | + |
| 49 | + ```bash |
| 50 | + kubectl delete pods PROXY_SERVER |
| 51 | + ``` |
| 52 | + |
| 53 | + Replace PROXY_SERVER with the name of the kurl-proxy server that you got in the previous step. |
| 54 | + |
| 55 | +1. After the pod has restarted, direct your browser to `http://<ip>:30000/tls` and go through the upload process in the user interface. |
0 commit comments