man: mention changes in renew-crypto

This updates the gnt-cluster man page wrt to the changes
about server and client certificates and how they affect
the operation 'gnt-cluster renew-crypto'.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

diff --git a/man/gnt-cluster.rst b/man/gnt-cluster.rst
index 124b864..8d0afa8 100644 (file)
--- a/man/gnt-cluster.rst
+++ b/man/gnt-cluster.rst
@@ -850,14 +850,20 @@ RENEW-CRYPTO
 
 This command will stop all Ganeti daemons in the cluster and start
 them again once the new certificates and keys are replicated. The
-options ``--new-cluster-certificate`` and ``--new-confd-hmac-key``
-can be used to regenerate respectively the cluster-internal SSL
-certificate and the HMAC key used by **ganeti-confd**\(8).
-
-The option ``--new-node-certificates`` will generate new node SSL
-certificates for all nodes. Note that the regeneration of the node
-certificates takes place after the other certificates are created
-and distributed and the ganeti daemons are restarted again.
+option ``--new-confd-hmac-key`` can be used to regenerate
+the HMAC key used by **ganeti-confd**\(8).
+
+The option ``--new-cluster-certificate`` will regenerate the
+cluster-internal server SSL certificate. The option
+``--new-node-certificates`` will generate new node SSL
+certificates for all nodes. Note that for the regeneration of
+of the server SSL certficate will invoke a regeneration of the
+node certificates as well, because node certificates are signed
+by the server certificate and thus have to be recreated and
+signed by the new server certificate. Nodes which are offline
+during a renewal of the server or the node certificates are not
+accessible anymore once they are marked as online again. To
+fix this, please readd the node instead.
 
 To generate a new self-signed RAPI certificate (used by
 **ganeti-rapi**\(8)) specify ``--new-rapi-certificate``. If you want to