How Do I Update the CA/TLS Certificate of an On-Premises Cluster?

Prerequisites

All components in the on-premises cluster are running normally.
Each node in the on-premises cluster is in the ready state.

Procedure

Download ucs-ctl and save it to the /root/ucs directory on any master node in the on-premises cluster.

Record the passwords of all nodes in a table and save the table to the /root/ucs/update_cert.csv directory on the node where the binary tool is located. For details, see Table 1.

**Table 1** Table template
Field	Description
Node IP	Node IP address, which is mandatory.
Node Role	Node role, which is mandatory. The options are master and node.
User	User name for logging in to a node, which is mandatory.
Password	Password for logging in to a node, which is optional.
Auth Type	Node authentication type, which is optional. The options are password and key.
Key Path	Key path for logging in to a node, which is optional.

Example:

Node IP,Node Role,User,Password,Auth Type,Key Path

192.168.0.145,master,root,xxx,password,

192.168.0.225,master,root,xxx,password,

192.168.0.68,master,root,xxx,password,

192.168.0.89,node,root,xxx,password,

Export environment variables.

export CUSTOM_DOMAIN={ucs_endpoint},10.247.0.1
- ucs_endpoint indicates the server access address. You can run the following command to obtain it:
```
cat /var/paas/srv/kubernetes/kubeconfig | grep server
```
- If you need to update the certificate again, delete the files in the certificate directory and run the following command to update the certificate:
```
rm -rf /var/paas/ucs/{cluster_name}/cert_update
```
Update the certificate.

cd /root/ucs

./ucs-ctl kcm update-cert {cluster_name} -c update_cert.csv
Update the certificate again after a failure.

./ucs-ctl kcm update-cert {cluster_name} -c update_cert.csv -r
Roll back the certificate update after a failure.

./ucs-ctl kcm rollback-cert {cluster_name} -c update_cert.csv