Author: Kellen F.
Date: 12/22/2023
Audience: Everyone
Environmental details: Self-hosted KOTS
Summary
To set the KOTS Admin Console's TLS certificate (if it has expired or you no longer want to use the provided self-signed certificate), there is a setup step you must take to be able to navigate back to the http://<jamaconnecthostname>:8800/tls
site to re-apply.
Solution
1. On the application server CLI, run the following command to allow the upload of a new TLS certificate:
kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1 --overwrite
2. Next, use this command to retrieve the name of the kurl-proxy pod we will delete in the next step
kubectl get pods -A | grep kurl-proxy | awk '{print $2}'
3. Now that we have the pod's name, delete the proxy server pod,
kubectl delete pods KURL_PROXY_POD
, replacing KURL_PROXY_POD with the name retrieved in step 2.
4. This pod will automatically restart. Once it is up, you can navigate to http://<jamaconnecthostname>:8800/tls
and upload a new certificate.
Cause
Suppose you have previously uploaded a certificate or used a self-signed certificate. In that case, the KOTS admin page will only allow you to upload a new certificate if you follow these steps.
Additional Resources
Related to
Comments
1 comment
Just a quick update - this is also the preferred method of updating your TLS certificate. If you're having trouble uploading a PEM certificate, try this method with your certificate in .key and .crt format. You should be able to get a copy from your Certificate Authority.
Please sign in to leave a comment.