Update vsatctl to upgrade security of existing VSatellite connections¶
Updated 11 February 2025
VSatellite has been updated to improve security by enabling TLS certificate validation when k3s connects to the Venafi registry. Previously, k3s did not validate TLS certificates, which could allow insecure connections. This security update is automatically applied to new VSatellite installations, but if you have existing VSatellite servers, you must manually update them.
To upgrade a VSatellite server¶
-
Download the latest version of
vsatctl:curl -O https://dl.venafi.cloud/vsatctl -
Make the file executable and run the security update:
chmod +x ./vsatctl && ./vsatctl update securityIf your registries.yaml file is in a non-default location, specify the path:
sudo ./vsatctl update security --registries-file /path/to/registries.yaml
Important considerations¶
-
If you have custom configurations in
registries.yaml, they will be overwritten when you run the security update.To preserve custom configurations, back up the file before updating:
cp /etc/rancher/k3s/registries.yaml /etc/rancher/k3s/registries.yaml.bakAfter updating, manually reapply your custom configurations.
-
Alternatively, you can skip running the security update and manually edit the
registries.yamlfile:-
Open the file in a text editor:
nano /etc/rancher/k3s/registries.yaml -
Locate the
insecure_skip_verifysetting and change it tofalse:mirrors: your-registry: endpoint: - "https://your-registry-url" tls: insecure_skip_verify: false -
Save and exit the file.
-
Restart k3s to apply the changes:
sudo systemctl restart k3s
-
How will I know if my server needs this update?¶
If your vsatctl is older than version 2.0.32, you should apply this update as a best practice to align with the latest security standards.
Where can I get support?¶
For additional guidance or troubleshooting, contact Venafi support or visit our Customer Support site.