Skip to main content

Docker Success Center

The Docker enterprise customer portal.

Docker, Inc.

Revert UCP certificates to self-signed certificates generated by UCP

For an existing UCP instance, it is possible to reconfigure UCP to use self-signed certificated generated by UCP.

This can be helpful in following example instances:

  • If you used 3rd party certificates and want to revert back to the built-in UCP self-signed certificates.
  • Can not access UCP UI due to expired certificates.

Resolution

Note: UCP client bundles will need to be re-issued after performing this procedure.

To revert to self-signed certificates for UCP, ssh into each UCP manager node and perform the following:

  1. Remove the contents of the ucp-controller-server-certs volume on all managers:
    sudo rm $(docker inspect ucp-controller-server-certs --format '{{.Mountpoint}}')/*
  2. Remove the ucp-proxy container on one manager:
    docker rm -f ucp-proxy

    Reconciliation will begin and regenerate self-signed certificates. Run the following command to watch this process on the same manager:

    docker logs -f $(docker ps -qf name=ucp-agent)
    
  3. Reconfigure DTR to trust the new UCP certificates (be sure to change the DTR image version and UCP URL to match your environment):
     docker run --rm -it docker/dtr:2.3.0 reconfigure --ucp-insecure-tls --ucp-url https://ucp.example.com --ucp-username admin
To revert to self-signed certificates for DTR, refer to Revert DTR certificates to self-signed certificates generated by DTR.