Update vCenter CA certificate references

This page describes how to update the reference to the vCenter CA certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the vCenter.caCertPath field in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.

You can update the certificate references with the gkectl update command as described here.

Update the referenced vCenter CA certificate in the cluster configuration files

To update the running admin and user clusters to use the new certificate:

  1. Retrieve the new vCenter CA certificate and extract it:

    curl -o certs.zip https://VCENTER_IP_ADDRESS_OR_FQDN/certs/download.zip
    unzip certs.zip
    

    You can use the -k flag if you want to allow unknown certificates. This is to avoid any certificate issues you may have accessing vCenter.

  2. Determine which of the vCenter certificates is valid. Only one of the Linux certificate files in the extracted ..../certs/lin folder is the valid vCenter certificate. To determine which file is the valid vCenter certificate, do the following:

    1. Set the following environment variables from the Admin Workstation where govc is already installed. If not already done, download and install govc tool:

      export GOVC_URL=https://VCENTER_IP_ADDRESS_OR_FQDN
      export GOVC_USERNAME=VCENTER_USERNAME
      export GOVC_PASSWORD=VCENTER_PASSWORD
      export GOVC_TLS_CA_CERTS=FULL_PATH_OF_EXTRACTED_LIN_FILE
      export GOVC_INSECURE=false
      

      Replace the following:

      • VCENTER_IP_ADDRESS_OR_FQDN: the IP address or FQDN of the vCenter Server.

      • VCENTER_USERNAME: the username of the vCenter Server.

      • VCENTER_PASSWORD: the password for the specified username.

      • FULL_PATH_OF_EXTRACTED_LIN_FILE: the full path to the Linux certificate file for which you are conducting a validity test.

    2. To verify that the vCenter certificate is valid, run the govc about command:

      govc about
      

      If the vCenter certificate is valid, the govc about command prints details about the vCenter Server similar to the following:

      FullName: VMware Center Server 7.0.3 build-24322018
      Name: VMware Center Server
      Vendor: VMware, Inc.
      Version: 7.0.3
      Build: 24322018
      OS type: linux-x64
      API type: VirtualCenter
      API version: 7.0.3.0
      Product ID: vpx
      UUID: 475fa366-faa9-43f0-9417-e6dadc55514c
      

      If the certificate is invalid, you should see an x509 error. If you see an x509 error, update the FULL_PATH_OF_EXTRACTED_LIN_FILE environment variable to point at a different Linux certificate file in the extracted ..../certs/lin folder, and then run the govc about command again. Repeat steps a. and b. until you locate the valid certificate, or until you are done testing each of the Linux certificate files in the extracted ..../certs/lin folder.

  3. To backup the old vCenter CA certificate file (which is at the path specified in the vCenter.caCertPath field of your admin cluster configuration file), rename it to vcenter-ca-cert.pem.old.

  4. Rename the new valid certificate file in the ..../certs/lin folder to vcenter-ca-cert.pem and then move it to the path specified in the vCenter.caCertPath field of your admin cluster configuration file.

  5. Update your admin cluster:

    gkectl update admin --config ADMIN_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG
    

    Replace the following:

    • ADMIN_CLUSTER_CONFIG: the path of your admin cluster configuration file.

    After the update command completes, the admin cluster will use the new certificate.

  6. Verify that the admin cluster is healthy:

    gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG
    

    For more information, see Diagnose an admin cluster.

  7. In each of your user cluster configuration files, set vCenter.caCertPath to the path of your new vcenter-ca-cert.pem file.

  8. For each of your user clusters, run the gkectl update command:

    gkectl update cluster --config USER_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG

    Replace the following:

    • USER_CLUSTER_CONFIG: the path of your user cluster configuration file.

    After the update command completes for a particular user cluster, the cluster will use the new certificate.

  9. Verify that the user cluster is healthy:

    gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG \
      --cluster-name USER_CLUSTER_NAME
    

    For more information, see Diagnose a user cluster.