This procedure requires a Downtime involved. Proceed with outage planned in advance.
If you already have nodes running with 365-day certificates and want to update them to the extended lifetime:
-
Add
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650to/etc/default/rke2-server.-
echo "CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650" >> /etc/default/rke2-server
-
-
Stop the service:
systemctl stop rke2-server. -
Rotate certificates manually:
rke2 certificate rotate. -
Start the service:
systemctl start rke2-server. -
Validate the certificates regenerated have an extended expiry
rke2 certificate check --output table