Rotating mbus SSL¶
Bootstrap SSL certificate needs to be removed from the
creds.yml and re-created later with
Since the signing CA is the Director's default CA and remains unchanged, no updates are required on the CLI side.
- Director is in a healthy state and there are no new deployments in progress.
- These instructions must be adapted if used with ops files overwriting the variables used in this procedure (i.e. bosh-lite).
Step 1: Remove mbus SSL from
bosh interpolate ./creds.yml \ -o remove-mbus-ssl.yml > creds_new.yml mv creds_new.yml creds.yml
--- - type: remove path: /mbus_bootstrap_ssl?
- This will remove the
creds.yml, causing the next
create-envto create a new one.
Step 2: Redeploy the Director with a new mbus SSL certificate¶
bosh create-env ~/workspace/bosh-deployment/bosh.yml \ --state ./state.json \ -o ~/workspace/bosh-deployment/[IAAS]/cpi.yml \ -o ... additional ops files \ --vars-store ./creds.yml \ -v ... additional vars
- This adds a new mbus SSL certificate to