Oracle Cloud Infrastructure Documentation

Renewing a Certificate

The Roving Edge device uses certificates to securely communicate with Oracle Cloud Infrastructure. Normally, the Roving Edge device renews certificates automatically and no manual action is required. Re-bootstrapping is the recovery process you use only if that automatic renewal fails and the certificate expires.

You typically only need to re-bootstrap if the system’s certificate has already expired. Certificates last 60 days, starting from the first time the Edge Installer runs. The Roving Edge device tries to prevent expiration by renewing early: once the certificate is more than 30 days old, the Roving Edge device requests a replacement certificate so it can keep talking to OCI. If the system can reach OCI endpoints before the certificate hits 60 days, the renewal happens automatically and you won’t need to run this procedure. Every time a new certificate is issued, the 30-day renewal point and 60-day expiration point reset. But if the Roving Edge device can’t connect to OCI between day 30 and day 60, the certificate will expire—and then re-bootstrapping is required to recover.

Note

The curl examples use the -k option to allow insecure TLS connections. Verify that this aligns with your organization’s security and compliance policies before using it.

Before you begin

  • You must be able to manage the compartment that contains the infrastructure.

  • Your tenancy policy must allow the permission CCC_CERTIFICATE_REGISTER.

  • Authenticate in the same region as the infrastructure.

  • The short-lived session created below expires after 60 minutes. If it expires before you finish, repeat the authentication steps.

Procedure

  1. Authenticate in the correct region.

    Run the following command as a user with the required permissions:

    oci session authenticate --profile user_profile --region <region-of-infrastructure>

  2. Reauthenticate with no browser to create a short-lived session.

    This creates a session suitable for export as a User Principal Session Token (UPST). You will be prompted to enter a new profile name. By default, the session expires in 60 minutes. If it expires before you complete the calls below, repeat steps 1 and 2.

    oci session authenticate --no-browser --profile user_profile
Enter the name of the profile you would like to create: new_profile
Config written to: /Users/home/.oci/config

  3. Export the new session.

    Export the session to a temporary location that you will use in later commands:

    oci session export --profile new_profile --output-file /tmp/exportedToken.zip
Exporting profile: new_profile from config file: /Users/home/.oci/config
Export file written to: /tmp/exportedToken.zip

  4. Identify the RPS fully qualified domain name (FQDN).

    Get the RPS endpoint host name in this format:

    rps.<FQDN>

    If you do not have the correct FQDN from your environment’s setup documentation, obtain it from your platform or Roving Edge guidance for your deployment.

  5. Register the token with the RPS /register endpoint.

    Run:

    curl -sS -k -X POST https://rps.<FQDN>/register \
                            -H 'Accept: application/json' \
                            -H 'Content-Type: multipart/form-data' \
                            -F 'file=@/tmp/exportedToken.zip;type=application/zip' \
                            -F 'infrastructure_id=<infrastructure-id>;type=text/plain'

    • If this command returns an error, wait 1 to 2 minutes and try again once.

    • If the retry fails, stop and contact support.

  6. Wait 2 minutes.

    After a successful /register call, wait 2 minutes before proceeding.

  7. Check readiness with the RPS /check_ready endpoint.

    Run:

    curl -sS -k -X POST https://rps.<FQDN>/check_ready \
                            -H 'Accept: application/json' \
                            -H 'Content-Type: multipart/form-data' \
                            -F 'file=@/tmp/exportedToken.zip;type=application/zip' \
                            -F 'infrastructure_id=<infrastructure-id>;type=text/plain'

    • If this command returns an error wait 2 minutes and try again.

    • If it still returns an error, stop and contact support.

After you run the commands

If the /register and /check_ready commands do not report errors, the RPS has obtained a new certificate. The remaining steps complete automatically and can take up to 5 minutes:

  1. The RPS uses its new certificate to sign and send a Resource Principal Token (RPT) request to the management plane. When the management plane grants the first RPT, the connection state changes from Ready to Disconnected. Some CLI views might still show Ready while the connection details show Connecting.

  2. The RPS uses the RPT to obtain a Resource Principal Session Token (RPST) from OCI Identity.

When to contact support

Contact support if:

  • /register or /check_ready returns errors after the suggested retry and wait.

  • The infrastructure does not reach Connected within 20 minutes after successful calls.

Be prepared to provide this information:

  • The infrastructure ID.

  • The full error output returned by the curl commands.

  • The timestamp and region used for authentication and calls.

  • Any relevant logs referenced by the runbook Certificate-Based Bootstrap Failure (if applicable).