Note: Doc team updates the current version of the documentation and the
two previous versions (n-2), but we address *only high-priority, or
customer-reported issues* for -2 releases in support.
Describe the changes in the doc and link to your dev story:

1. - [x] Mandatory: Add the required version to the Fix version/s field.

2. - [ ] Mandatory: Choose the type of documentation change or review.

• [ ] We need to update to an existing topic

• [ ] We need to add a new document to an existing section

• [x] We need a whole new section; this is a function not
  documented before and doesn't belong in any current section

• [ ] We need an Operator Advisory review and approval

• [ ] We need a z-Stream (Errata) Advisory and Release note
  for MCE and/or ACM

3. - [ ] *Mandatory: *Use the following link to open the doc and find where the
documentation update should go. Note: As the feature and doc is
understood and developed, this placement decision may change:

• Published doc: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10
• Source: https://github.com/stolostron/rhacm-docs

It's should be a new section in the https://github.com/stolostron/rhacm-docs/tree/2.13_stage/troubleshooting part.

4. - [ ] Mandatory for GA content:

• [ ] Add steps, the diff, known issue, and/or other important
  conceptual information in the following space:

• [ ] *Add Required access level *(example, *Cluster
  Administrator*) for the user to complete the task:

• [ ] Add verification at the end of the task, how does the user
  verify success (a command to run or a result to see?)

• [ ] Add link to dev story here: 

5. - [x] Mandatory for bugs: What is the diff? Clearly define what the
problem is, what the change is, and link to the current documentation. Only
use this for a documentation bug.

—

Related customer issues:

• https://access.redhat.com/support/cases/#/case/03370662
• https://access.redhat.com/support/cases/#/case/03806440

The issue is:

Customers somtimes have needs to update the cluster CA with their enterprise CA.

For both Hive-provisioned clusters and Assisted Installer clusters, after users update the cluster certificate on the managed cluster side, the corresponding ClusterDeployment condition on the hub side displays an "Unreachable" error message:

  - lastProbeTime: "2022-11-06T20:30:20Z"
    lastTransitionTime: "2022-11-04T13:25:05Z"
    message: 'Get "https://api.aecho1quai.ccsd.ipz001.internal.bosch.cloud:6443/api?timeout=32s":
      x509: certificate signed by unknown authority'
    reason: ErrorConnectingToCluster
    status: "True"
    type: Unreachable 

When attempting to access the managed cluster through the console page's download kubeconfig option, the connection error "x509: certificate signed by unknown authority" occurs.

And if backup & restore operations are performed in this state, the managed cluster cannot be automatically imported to the restored hub.

How to fix:

On the hub cluster:

export CA=<the customized CA>

oc create secret generic additional-ca \
  --from-literal=ca.crt="$CA" \
  --namespace hive

oc patch hiveconfig hive --type=merge -p '
{
  "spec": {
    "additionalCertificateAuthoritiesSecretRef": [
      {
        "name": "additional-ca"
      }
    ]
  }
}'