Updating SSL cert in Rancher v2.x with the same CA

Renew the Rancher SSL/TLS certificate with the same CA

Pre-requisites

• Running Rancher v2.x
• Rancher on a Kubernetes Cluster see documentation for more information
• The new certificate must have the same root CA as the current certificate.
• A copy of the certificate and private key in Base64 format Doc
• A copy of the root and intermediate CA certificate (Sometimes called the certificate chain).

Assumptions

• kubectl access to the Rancher local cluster
• The certificate is stored as server.crt
• The private key is stored as tls.key
• The root CA is stored as root-ca.crt
• The intermediate CA is stored as intermediate-ca.crt

Resolution

Install Steps

1. Verify private key doesn't have a passphrase using the command listed below. If the following command asks for a passphrase, then it is password-protected, and this must be removed.

   openssl rsa -in tls.key -noout

2. Remove the passphrase (skip this step if the previous command didn't ask for a passphrase):

   mv tls.key tls-pass.key
   openssl rsa -in tls-pass.key -out tls.key
   Enter your passphrase here

3. Create the certificate chain. If there is an additional intermediate certs please add them at this step.

   NB: Order is important!

   cat server.crt intermediate-ca.crt root-ca.crt > tls.crt

4. Backup the current certificate:

   kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-bk.yaml

5. Remove the current certificate:

   kubectl -n cattle-system delete secret tls-rancher-ingress

6. Install the new certificate:

   kubectl -n cattle-system create secret tls tls-rancher-ingress \
   --cert=tls.crt \
   --key=tls.key

Verification Steps

• Run the following command to verify the new certificate. (Replace Rancher with your Rancher URL):

  curl --insecure -v https://<<Rancher>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

• Example output:

  * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  * ALPN, server did not agree to a protocol
  * Server certificate:
  *  subject: OU=Domain Control Validated; CN=*.rancher.tools
  *  start date: Jul  2 00:42:01 2019 GMT
  *  expire date: May  2 00:19:41 2020 GMT
  *  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
  *  SSL certificate verify ok.
  * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  * old SSL session ID is stale, removing
  * Mark bundle as not supporting multiuse
  * Connection #0 to host lab.rancher.tools left intact

• NOTE: Some browsers will cache the certificate. So you might have to close the browser and reopen it in order to get the new certificate.

Rollback Steps

1. Backup the new certificate:

   kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-new.yaml

2. Remove the new certificate:

   kubectl -n cattle-system delete secret tls-rancher-ingress

3. Re-install the old certificate:

   kubectl -n cattle-system apply -f tls-rancher-ingress-bk.yaml