Why can't I create or renew my CA cert?

Virtual Private Cloud Classic infrastructure

When you run the cluster ca create command, you see an error message similar to the following example.

ibmcloud ks cluster ca create -c CLUSTER

FAILED
You must reload/update/replace all workers and download new certificates locally in order to revoke old CA Cert. (E1955)

This error can occur when you try starting a new rotation process without completing a prior one. After a rotation is started, all steps must be completed before another rotation can be initiated.

To complete the rotation process, you must reload or replace your worker nodes.

1. Reload or replace your worker nodes by following the steps for your cluster type.

   • Reload your classic worker nodes.
   • Replace your VPC worker nodes.

2. Update any tooling or webhooks that rely on the previous certificates. For example, you might need to update one or more of the following.

   • If you use the certificate from your cluster's kubeconfig file in your own service, such as Jenkins.
   • If you use calicoctl to manage Calico network policies, update your services and automation to use the new certificates.
   • If you forward audit logs to IBM Cloud Logs, update the certificates for your master audit webhook.
   • If you forward audit logs over the private network, update the certificates for your master audit webhook.

3. Run the ca rotate command to complete the certificate rotation.

   ibmcloud ks cluster ca rotate -c CLUSTER
   

4. If the issue persists, contact support. Open a support case. In the case details, be sure to include any relevant log files, error messages, or command outputs.