Updating SSL cert in Rancher v2.x with the same CA

This document (000020152) is provided subject to the disclaimer at the end of this document.

Situation

Task

How do I renew my SSL/TLS certificate for Rancher?

Pre-requisites

  • Running Rancher v2.x
  • Rancher on a Kubernetes Cluster see documentation for more information
  • The new certificate must have the same root CA as the current certificate.
  • Used the option "Bring your own certificate" when installing Rancher Doc
  • A copy of the certificate and private key in Base64 format Doc
  • A copy of the root and intermediate CA certificate (Sometimes called the certificate chain).

Assumptions

  • kubectl access to the Rancher local cluster
  • The certificate is stored as server.crt
  • The private key is stored as tls.key
  • The root CA is stored as root-ca.crt
  • The intermediate CA is stored as intermediate-ca.crt

Resolution

Install Steps
  1. Verify private key doesn't have a passphrase using the command listed below. If the following command asks for a passphrase then it is password protected and this must be removed.

    openssl rsa -in tls.key -noout
  2. Remove the passphrase (skip this step if the previous command didn't ask for a passphrase):

    mv tls.key tls-pass.key
    openssl rsa -in tls-pass.key -out tls.key
    Enter your passphrase here
  3. Create the certificate chain. If you have additional intermediate certs please add them at this step.

    NB: Order is important!

    cat server.crt intermediate-ca.crt root-ca.crt > tls.crt
  4. Backup the current certificate:

    kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-bk.yaml
  5. Remove the current certificate:

    kubectl -n cattle-system delete secret tls-rancher-ingress
  6. Install the new certificate:

    kubectl -n cattle-system create secret tls tls-rancher-ingress \
    --cert=tls.crt \
    --key=tls.key
Verification Steps
  • Run the following command to verify the new certificate. (Replace Rancher with your Rancher URL):
    curl --insecure -v https://<<Rancher>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
  • Example output:
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server did not agree to a protocol
    * Server certificate:
    *  subject: OU=Domain Control Validated; CN=*.rancher.tools
    *  start date: Jul  2 00:42:01 2019 GMT
    *  expire date: May  2 00:19:41 2020 GMT
    *  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
    *  SSL certificate verify ok.
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Mark bundle as not supporting multiuse
    * Connection #0 to host lab.rancher.tools left intact
Rollback Steps
  1. Backup the new certificate:

    kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-new.yaml
  2. Remove the new certificate:

    kubectl -n cattle-system delete secret tls-rancher-ingress
  3. Re-install the old certificate:

    kubectl -n cattle-system apply -f tls-rancher-ingress-bk.yaml

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020152
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center