How to manually renew calico-typha certificates when rancher webhook blocks auto-renewal
This document (000022028) is provided subject to the disclaimer at the end of this document.
Environment
Rancher Any Version
Calico CNI installed in Local cluster
Situation
In some cases, the calico-typha and calico-node certificates, which are designed to auto-renew upon a typha pod restart, may be blocked by the Rancher webhook. This interference prevents the certificate renewal process, causing the Calico pods to enter an error state.
Resolution
1. List the secrets in Calico-System namespace and see which is expired
2. Take the Backup and Delete Rancher Webhooks
kubectl get MutatingWebhookConfigurations rancher.cattle.io > backupmutate.yml
kubectl get ValidatingWebhookConfigurations rancher.cattle.io > backupvalidate.yml
kubectl delete MutatingWebhookConfigurations rancher.cattle.io
kubectl delete ValidatingWebhookConfigurations rancher.cattle.io
3. Delete the existing Typha certificates, then perform a rolling restart of the Typha deployment.
4. Validate the Typha certificates ( Step-1) and re-apply the Rancher Webhook YML.
Cause
The tigera-operator (responsible for calico-typha) starts, but the calico upgrade fails because the Rancher webhook denies access.
Additional Information
There are GH issue raised for same issue :
https://github.com/rancher/rancher/issues/41191
https://github.com/projectcalico/calico/issues/9807
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000022028
- Creation Date: 04-Sep-2025
- Modified Date:16-Sep-2025
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
