When attempting to regenerate the certificate for pivotal-container-service, it reports the message "This version of pivotal-container-service is not compatible with certificate rotation".

If you are following steps similar to the steps outlined in Overview of Certificate Rotation, then you may receive the following error:

$ curl "https://localhost/api/v0/certificate_authorities/active/regenerate" ...

"property_reference":".director.system_metrics_certificate","variable_path":null,"reason":""}],"excluded":[],"regenerate_failed":[]},"info":"Action completed.","warnings":["This version of pivotal-container-service is not compatible with certificate rotation. Certificates in CredHub will not be rotated. Only the certificates managed by Ops Manager will be rotated."]}

Product Version: 1.7

Summary

You can continue to Apply Changes through Operations Manager (Ops Manager).

You can choose between the following two options depending on your workloads operations needs:

Option 1

Disable the "Upgrade all clusters" errand in Ops Manager and Apply Changes.

1. In Ops Manager, disable the "Upgrade all clusters" in the PKS/TKGI tile.

2. Run Apply Changes.

3. Execute the following command for each cluster individually:

pks upgrade-cluster <cluster-name> or tkgi upgrade-cluster <cluster-name>

 

Option 2

Enable "Upgrade all clusters" errand in Ops Manager and Apply Changes.

1. In Ops Manager, enable the  "Upgrade all clusters" errand in the PKS/TKGI tile.

2. Run Apply Changes with the errand "Upgrade all clusters" enabled.  

Option 3

Use TKGI CLI v1.12+ to rotate all certificates. See documentation page: Rotate All Cluster Certificates

tkgi rotate-certificates <cluster name> --all