SUSE Support

Here When You Need Us

Updating SSL cert in Rancher v2.x with the same CA

This document (000020152) is provided subject to the disclaimer at the end of this document.





Renew the Rancher SSL/TLS certificate with the same CA


  • Running Rancher v2.x
  • Rancher on a Kubernetes Cluster see documentation for more information
  • The new certificate must have the same root CA as the current certificate.
  • A copy of the certificate and private key in Base64 format Doc
  • A copy of the root and intermediate CA certificate (Sometimes called the certificate chain).


  • kubectl access to the Rancher local cluster
  • The certificate is stored as server.crt
  • The private key is stored as tls.key
  • The root CA is stored as root-ca.crt
  • The intermediate CA is stored as intermediate-ca.crt


Install Steps
  1. Verify private key doesn't have a passphrase using the command listed below. If the following command asks for a passphrase, then it is password-protected, and this must be removed.

    openssl rsa -in tls.key -noout
  2. Remove the passphrase (skip this step if the previous command didn't ask for a passphrase):

    mv tls.key tls-pass.key
    openssl rsa -in tls-pass.key -out tls.key
    Enter your passphrase here
  3. Create the certificate chain. If there is an additional intermediate certs please add them at this step.

    NB: Order is important!

    cat server.crt intermediate-ca.crt root-ca.crt > tls.crt
  4. Backup the current certificate:

    kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-bk.yaml
  5. Remove the current certificate:

    kubectl -n cattle-system delete secret tls-rancher-ingress
  6. Install the new certificate:

    kubectl -n cattle-system create secret tls tls-rancher-ingress \
    --cert=tls.crt \
Verification Steps
  • Run the following command to verify the new certificate. (Replace Rancher with your Rancher URL):
    curl --insecure -v https://<<Rancher>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
  • Example output:
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server did not agree to a protocol
    * Server certificate:
    *  subject: OU=Domain Control Validated; CN=*
    *  start date: Jul  2 00:42:01 2019 GMT
    *  expire date: May  2 00:19:41 2020 GMT
    *  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
    *  SSL certificate verify ok.
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Mark bundle as not supporting multiuse
    * Connection #0 to host left intact
  • NOTE: Some browsers will cache the certificate. So you might have to close the browser and reopen it in order to get the new certificate.
Rollback Steps
  1. Backup the new certificate:

    kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-new.yaml
  2. Remove the new certificate:

    kubectl -n cattle-system delete secret tls-rancher-ingress
  3. Re-install the old certificate:

    kubectl -n cattle-system apply -f tls-rancher-ingress-bk.yaml


Top Issue


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020152
  • Creation Date: 27-Mar-2024
  • Modified Date:28-Mar-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.