0 0 Share PDF

Revert UCP certificates to self-signed certificates generated by UCP

Article ID: KB000429

For an existing UCP instance, it is possible to reconfigure UCP to use self-signed certificated generated by UCP.

This can be helpful in following example instances:

  • If you used 3rd party certificates and want to revert back to the built-in UCP self-signed certificates.
  • Can not access UCP UI due to expired certificates.

Resolution

Note: UCP client bundles will need to be re-issued after performing this procedure.

To revert to self-signed certificates for UCP, ssh into each UCP manager node and perform the following:

  1. Remove the contents of the ucp-controller-server-certs volume on all managers:

    sudo sh -c 'rm $(docker volume inspect ucp-controller-server-certs --format '{{.Mountpoint}}')/*'
    
  2. Remove the ucp-proxy container on one manager:

    docker rm -f ucp-proxy
    

    Reconciliation will begin and regenerate self-signed certificates. Run the following command to watch this process on the same manager:

    docker logs -f $(docker ps -qf name=ucp-agent)
    
  3. Reconfigure DTR to trust the new UCP certificates (be sure to change the DTR image version and UCP URL to match your environment):

    docker run --rm -it docker/dtr:2.3.0 reconfigure --ucp-insecure-tls --ucp-url https://ucp.example.com --ucp-username admin
    

To revert to self-signed certificates for DTR, refer to Revert DTR certificates to self-signed certificates generated by DTR.