SUSE Support

Here When You Need Us

How to rotate the Rancher SSL certificate with a single node Docker installation

This document (000020062) is provided subject to the disclaimer at the end of this document.



One installation method for Rancher 2.x is to run Rancher in a Docker container on a single node. This approach is designed for a short-lived development/test environment and bundles a minimal footprint of all the components needed by Rancher into the container image.

When the default self-signed SSL certificate option is used, the lifetime of the SSL certificate is 1 year. If the container is run for a long period the certificate will need to be rotated. The below sections provide steps needed to rotate the certificate for different versions of Rancher.



To perform the certificate rotation, please ensure a backup of the Rancher container has been completed, this can be used as a rollback in the event any previous data needs to be restored.

The process is different between different versions of Rancher, please select your version below as needed and set the container ID of the Rancher container.

Rancher v2.4.x and above

If the certificate is expiring in less than 90 days, certificate rotation occurs automatically. When expiry falls within this period, certificates will be rotated on the next start of the Rancher container.


docker restart ${rancher_container_id}
Rancher v2.3.x

docker exec -ti ${rancher_container_id} bash
cp -rp /var/lib/rancher/k3s/server/tls /var/lib/rancher/k3s/server/tls.backup
cd /var/lib/rancher/k3s/server/tls
rm -rf *.crt *.key temporary-certs/
cp -p /var/lib/rancher/k3s/server/tls.backup/*-ca.* .

docker restart ${rancher_container_id}
Rancher v2.2.x

docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/tls/localhost.crt /var/lib/rancher/management-state/tls/localhost.crt.backup
docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/tls/localhost.key /var/lib/rancher/management-state/tls/localhost.key.backup

docker restart ${rancher_container_id}
Rancher v2.0.14+, v2.1.9+

docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/certs/bundle.json /var/lib/rancher/management-state/certs/bundle.json.backup

docker restart ${rancher_container_id}


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020062
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.