@@ -105,7 +105,7 @@ github.com/docker/containerd 9048e5e50717ea4497b757314bad98ea3763c145

 github.com/tonistiigi/fifo 1405643975692217d6720f8b54aeee1bf2cd5cf4

 # cluster

-github.com/docker/swarmkit d5232280c510d70755ab11305d46a5704735371a

+github.com/docker/swarmkit 6a6f38c02f1c96b1d3c548e45927349656ae37a1

 github.com/gogo/protobuf 8d70fb3182befc465c4a1eac8ad4d38ff49778e2

 github.com/cloudflare/cfssl 7fb22c8cba7ecaf98e4082d22d65800cf45e042a

 github.com/google/certificate-transparency d90e65c3a07988180c5b1ece71791c0b6506826e

@@ -148,14 +148,16 @@ func validateHasAtLeastOneExternalCA(ctx context.Context, externalCAs map[string

 // validates that the list of external CAs have valid certs associated with them, and produce a mapping of subject/pubkey:external

 // for later validation of required external CAs

-func getNormalizedExtCAs(caConfig *api.CAConfig) (map[string][]*api.ExternalCA, error) {

+func getNormalizedExtCAs(caConfig *api.CAConfig, normalizedCurrentRootCACert []byte) (map[string][]*api.ExternalCA, error) {

 	extCAs := make(map[string][]*api.ExternalCA)

 	for _, extCA := range caConfig.ExternalCAs {

-		if len(extCA.CACert) == 0 {

-			return nil, grpc.Errorf(codes.InvalidArgument, "must specify CA certificate for each external CA")

+		associatedCert := normalizedCurrentRootCACert

+		// if no associated cert is provided, assume it's the current root cert

+		if len(extCA.CACert) > 0 {

+			associatedCert = ca.NormalizePEMs(extCA.CACert)

 		}

-		certKey := string(ca.NormalizePEMs(extCA.CACert))

+		certKey := string(associatedCert)

 		extCAs[certKey] = append(extCAs[certKey], extCA)

 	}

@@ -191,12 +193,12 @@ func validateCAConfig(ctx context.Context, securityConfig *ca.SecurityConfig, cl

 		return nil, grpc.Errorf(codes.InvalidArgument, "if a signing CA key is provided, the signing CA cert must also be provided")

 	}

-	extCAs, err := getNormalizedExtCAs(newConfig) // validate that the list of external CAs is not malformed

+	normalizedRootCA := ca.NormalizePEMs(cluster.RootCA.CACert)

+	extCAs, err := getNormalizedExtCAs(newConfig, normalizedRootCA) // validate that the list of external CAs is not malformed

 	if err != nil {

 		return nil, err

 	}

-	normalizedRootCA := ca.NormalizePEMs(cluster.RootCA.CACert)

 	var oldCertExtCAs []*api.ExternalCA

 	if !hasSigningKey(&cluster.RootCA) {

 		oldCertExtCAs, err = validateHasAtLeastOneExternalCA(ctx, extCAs, securityConfig, normalizedRootCA, "current")

@@ -297,8 +297,9 @@ func (g *Orchestrator) reconcileServices(ctx context.Context, serviceIDs []strin

 	updates := make(map[*api.Service][]orchestrator.Slot)

 	_, err := g.store.Batch(func(batch *store.Batch) error {

-		var updateTasks []orchestrator.Slot

 		for _, serviceID := range serviceIDs {

+			var updateTasks []orchestrator.Slot

+

 			if _, exists := nodeTasks[serviceID]; !exists {

 				continue

 			}

@@ -352,7 +353,6 @@ func (g *Orchestrator) reconcileServices(ctx context.Context, serviceIDs []strin

 	for service, updateTasks := range updates {

 		g.updater.Update(ctx, g.cluster, service, updateTasks)

 	}

-

 }

 // updateNode updates g.nodes based on the current node value