Deployment not consuming new DNS leaf certs
search cancel

Deployment not consuming new DNS leaf certs

book

Article ID: 386860

calendar_today

Updated On:

Products

Concourse for VMware Tanzu Pivotal Concourse

Issue/Introduction

After regenerating leaf certificates an Apply Changes, or redeploy of Concourse, is needed in order for the new leaf certs to be consumed. In this scenario you will find new versions of DNS leaf certs in the maestro topology that have not been consumed even after an Apply Changes or after redeploying Concourse. An example you might find in the maestro topology for a leaf cert would look like this:

      - version_id: <id redacted>
        active: false
      signed_by_version: <CA redacted>
        deployment_names: []
        signing: false
        transitional: false
        certificate_authority: false
        generated: true
      valid_until: '2026-01-14T18:10:19Z'
    - version_id: <id redacted>
        active: true
      signed_by_version: <CA redacted>
        deployment_names:
      - concourse-a1
        signing: false
        transitional: false
        certificate_authority: false
        generated: true
        valid_until: '2025-01-28T21:28:30Z'

Cause

The customer may have opted to use the "Enable automatic rotation of the BOSH DNS CA certificate (experimental)" feature, which requires them to deploy a new stemcell in order for new versions of the DNS certs to be consumed.

Resolution

Redeploying the tile/Concourse with an additional flag of "--force-latest-variables" should bypass the requirement of deploying a new stemcell and consume the new certs. Example deployment:

bosh -d <deployment> deploy <concourse manifest yml> --force-latest-variables