centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-04-05 02:38:52 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
c16b77e4a204da17037641db2eadff84035cee92
docker-docs/datacenter/ucp/1.1/reference/regen-certs.md
Misty Stanley-Jones a4f5e30249 Various copyedits to reduce future tense, wordiness, and use of 'please' (#5788) 
* Reword lots of instances of 'will'

* Reword lots of instances of won't

* Reword lots of instances of we'll

* Eradicate you'll

* Eradicate 'be able to' type of phrases

* Eradicate 'unable to' type of phrases

* Eradicate 'has / have to' type of phrases

* Eradicate 'note that' type of phrases

* Eradicate 'in order to' type of phrases

* Redirect to official Chef and Puppet docs

* Eradicate gratuitous 'please'

* Reduce use of e.g.

* Reduce use of i.e.

* Reduce use of N.B.

* Get rid of 'sexagesimal' and correct some errors
2018-01-25 17:37:23 -08:00

54 lines
2.8 KiB
Markdown
Raw Blame History

---
description: Regenerate certificates for Docker Universal Control Plane.
keywords: install, ucp
title: docker/ucp regen-certs
---
Regenerate keys and certificates for a UCP controller
## Usage
```bash
$ docker run --rm -it \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
regen-certs [command options]
```
## Description
This utility will generate new private keys and certs for UCP controllers.
By default it will leave the Root CA keys and certs intact and only
regenerate server and client certs on the controller. This can be used
to change the list of SANs within the certs after install and refresh
the expiration of the certificates.
You may regenerate the Root CAs with this tool using "--root-ca-only"
then follow a multi-step procedure to regenerate all certs in the cluster.
WARNING: REGENERATING THE ROOT CAs IS A DISRUPTIVE OPERATION!
First run "regen-certs --root-ca-only" on one controller. If this is an
HA cluster, then perform a "backup --root-ca-only" on this controller,
and "restore --root-ca-only" on all other controllers. Then on all of
the controllers run "regen-certs" during which the cluster will become
unavailable until 1/2+1 of the controllers are running with new certs.
Once all controllers have new certs, restart all the docker daemons on
the controller nodes. Once the cluster controllers have recovered, run
"join --fresh-install" on all non-controller nodes to re-join them to
the cluster. After completing the process, all user bundles will be
invalid and new bundles must be downloaded.
## Options
| Option | Description |
|:--------------------------------------|:--------------------------------------------------------------------------------------------|
| `--debug, -D` | Enable debug mode |
| `--jsonlog` | Produce json formatted output for easier parsing |
| `--interactive, -i` | Enable interactive mode. You will be prompted to enter all required information |
| `--root-ca-only` | Regenerate the Root CAs on this node (Do only once in an HA cluster!) |
| `--id` | The ID of the UCP instance to regenerate certificates for |
| `--san` `[--san option --san option]` | Additional Subject Alternative Names for certs. For example, `--san foo1.bar.com --san foo2.bar.com` |
| `--external-server-cert` | Omit regenerating the UCP Controller web server certificate signed with an external CA |
Reference in New Issue View Git Blame Copy Permalink