Update Custom TLS Certificates in Embedded Cluster Installations

This topic describes how to update custom TLS certificates in Replicated Embedded Cluster installations.

Update Custom TLS Certificates

Users can use the CLI or the Admin Console to update the TLS certificates used to secure the Admin Console in Embedded Cluster installations. This is useful when certificates expire or need to be rotated regularly.

Update Using the CLI (Recommended)

note

The admin-console update-tls command is available in Embedded Cluster v2.14.0 and later.

The admin-console update-tls command provides a secure way to update TLS certificates for the Admin Console.

To update TLS certificates using the CLI:

SSH onto a controller node where Embedded Cluster is installed. Ensure the new TLS certificate and key files that you want to use are present on the node.
Run the following command to update the TLS certificate and key:
```
sudo ./APP_SLUG admin-console update-tls --tls-cert PATH_TO_CERT --tls-key PATH_TO_KEY
```
Replace:
- APP_SLUG with the unique slug of the installed application.
- PATH_TO_CERT with the path to the TLS certificate file.
- PATH_TO_KEY with the path to the TLS key file.

Update Using the Admin Console

You can also update TLS certificates through the Admin Console. This method requires temporarily enabling anonymous uploads.

important

Adding the acceptAnonymousUploads annotation temporarily creates a vulnerability for an attacker to maliciously upload TLS certificates. After TLS certificates have been uploaded, the vulnerability is closed again.

Replicated recommends using the CLI method above when possible. If you use this method, complete the upload process quickly to minimize the vulnerability risk.

To upload a new custom TLS certificate through the Admin Console:

SSH onto a controller node where Embedded Cluster is installed. Then, run the following command to start a shell so that you can access the cluster with kubectl:
```
sudo ./APP_SLUG shell
```
Where APP_SLUG is the unique slug of the installed application.
In the shell, run the following command to restore the ability to upload new TLS certificates by adding the acceptAnonymousUploads annotation:
```
kubectl -n kotsadm annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite
```
Run the following command to get the name of the kurl-proxy server:
```
kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
```
note
This server is named kurl-proxy, but is used in both Embedded Cluster and kURL installations.
Run the following command to delete the kurl-proxy pod. The pod automatically restarts after the command runs.
```
kubectl delete pods PROXY_SERVER
```
Replace PROXY_SERVER with the name of the kurl-proxy server that you got in the previous step.
After the pod has restarted, go to http://<ip>:30000/tls in your browser and complete the process in the Admin Console to upload a new certificate.