How to rotate the Rancher SSL certificate with a single node Docker installation

This document (000020062) is provided subject to the disclaimer at the end of this document.

Situation

Task

One installation method for Rancher 2.x is to run Rancher in a Docker container on a single node. This approach is designed for a short-lived development/test environment and bundles a minimal footprint of all the components needed by Rancher into the container image.

When the default self-signed SSL certificate option is used, the lifetime of the SSL certificate is 1 year. If the container is run for a long period the certificate will need to be rotated. The below sections provide steps needed to rotate the certificate for different versions of Rancher.

Pre-requisites

Resolution

To perform the certificate rotation, please ensure a backup of the Rancher container has been completed, this can be used as a rollback in the event any previous data needs to be restored.

The process is different between different versions of Rancher, please select your version below as needed and set the container ID of the Rancher container.

Rancher v2.4.x and above

If the certificate is expiring in less than 90 days, certificate rotation occurs automatically. When expiry falls within this period, certificates will be rotated on the next start of the Rancher container.

rancher_container_id=xxx

docker restart ${rancher_container_id}
Rancher v2.3.x
rancher_container_id=xxx

docker exec -ti ${rancher_container_id} bash
cp -rp /var/lib/rancher/k3s/server/tls /var/lib/rancher/k3s/server/tls.backup
cd /var/lib/rancher/k3s/server/tls
rm -rf *.crt *.key temporary-certs/
cp -p /var/lib/rancher/k3s/server/tls.backup/*-ca.* .
exit

docker restart ${rancher_container_id}
Rancher v2.2.x
rancher_container_id=xxx

docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/tls/localhost.crt /var/lib/rancher/management-state/tls/localhost.crt.backup
docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/tls/localhost.key /var/lib/rancher/management-state/tls/localhost.key.backup

docker restart ${rancher_container_id}
Rancher v2.0.14+, v2.1.9+
rancher_container_id=xxx

docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/certs/bundle.json /var/lib/rancher/management-state/certs/bundle.json.backup

docker restart ${rancher_container_id}

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020062
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center