Updating SSL cert in Rancher v2.x with the same CA
This document (000020152) is provided subject to the disclaimer at the end of this document.
Environment
Rancher
Situation
Renew the Rancher SSL/TLS certificate with the same CA
Pre-requisites
- Running Rancher v2.x
- Rancher on a Kubernetes Cluster see documentation for more information
- The new certificate must have the same root CA as the current certificate.
- A copy of the certificate and private key in Base64 format Doc
- A copy of the root and intermediate CA certificate (Sometimes called the certificate chain).
Assumptions
- kubectl access to the Rancher local cluster
- The certificate is stored as server.crt
- The private key is stored as tls.key
- The root CA is stored as root-ca.crt
- The intermediate CA is stored as intermediate-ca.crt
Resolution
Install Steps
- Verify private key doesn't have a passphrase using the command listed below. If the following command asks for a passphrase, then it is password-protected, and this must be removed.
openssl rsa -in tls.key -noout
mv tls.key tls-pass.key
openssl rsa -in tls-pass.key -out tls.key
Enter your passphrase here
NB: Order is important!
cat server.crt intermediate-ca.crt root-ca.crt > tls.crt
kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-bk.yaml
kubectl -n cattle-system delete secret tls-rancher-ingress
kubectl -n cattle-system create secret tls tls-rancher-ingress \
--cert=tls.crt \
--key=tls.key
Verification Steps
- Run the following command to verify the new certificate. (Replace Rancher with your Rancher URL):
curl --insecure -v https://<<Rancher>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
- Example output:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=Domain Control Validated; CN=*.rancher.tools
* start date: Jul 2 00:42:01 2019 GMT
* expire date: May 2 00:19:41 2020 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
* SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host lab.rancher.tools left intact
- NOTE: Some browsers will cache the certificate. So you might have to close the browser and reopen it in order to get the new certificate.
Rollback Steps
- Backup the new certificate:
kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-new.yaml
kubectl -n cattle-system delete secret tls-rancher-ingress
kubectl -n cattle-system apply -f tls-rancher-ingress-bk.yaml
Status
Top Issue
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.