Updating SSL cert in Rancher v2.x with the same CA
This document (000020152) is provided subject to the disclaimer at the end of this document.
Situation
Task
How do I renew my SSL/TLS certificate for Rancher?
Pre-requisites
- Running Rancher v2.x
- Rancher on a Kubernetes Cluster see documentation for more information
- The new certificate must have the same root CA as the current certificate.
- Used the option "Bring your own certificate" when installing Rancher Doc
- A copy of the certificate and private key in Base64 format Doc
- A copy of the root and intermediate CA certificate (Sometimes called the certificate chain).
Assumptions
- kubectl access to the Rancher local cluster
- The certificate is stored as server.crt
- The private key is stored as tls.key
- The root CA is stored as root-ca.crt
- The intermediate CA is stored as intermediate-ca.crt
Resolution
Install Steps
-
Verify private key doesn't have a passphrase using the command listed below. If the following command asks for a passphrase then it is password protected and this must be removed.
openssl rsa -in tls.key -noout -
Remove the passphrase (skip this step if the previous command didn't ask for a passphrase):
mv tls.key tls-pass.key openssl rsa -in tls-pass.key -out tls.key Enter your passphrase here -
Create the certificate chain. If you have additional intermediate certs please add them at this step.
NB: Order is important!
cat server.crt intermediate-ca.crt root-ca.crt > tls.crt -
Backup the current certificate:
kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-bk.yaml -
Remove the current certificate:
kubectl -n cattle-system delete secret tls-rancher-ingress -
Install the new certificate:
kubectl -n cattle-system create secret tls tls-rancher-ingress \ --cert=tls.crt \ --key=tls.key
Verification Steps
- Run the following command to verify the new certificate. (Replace Rancher with your Rancher URL):
curl --insecure -v https://<<Rancher>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
- Example output:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: OU=Domain Control Validated; CN=*.rancher.tools * start date: Jul 2 00:42:01 2019 GMT * expire date: May 2 00:19:41 2020 GMT * issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2 * SSL certificate verify ok. * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Mark bundle as not supporting multiuse * Connection #0 to host lab.rancher.tools left intact
- NOTE: Some browsers will cache the certificate. So you might to close the browser and reopen in order to get the new certificate. How to clear the SSL state in a browser.
Rollback Steps
-
Backup the new certificate:
kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-new.yaml -
Remove the new certificate:
kubectl -n cattle-system delete secret tls-rancher-ingress -
Re-install the old certificate:
kubectl -n cattle-system apply -f tls-rancher-ingress-bk.yaml
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020152
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
Run SAP
SUSE for Public Cloud
Security
