Updating SSL cert in Rancher v2.x with the same CA
Article Number: 000020152
Environment
Rancher
Situation
Renew the Rancher SSL/TLS certificate with the same CA
Pre-requisites
- Running Rancher v2.x
- Rancher on a Kubernetes Cluster see documentation for more information
- The new certificate must have the same root CA as the current certificate.
- A copy of the certificate and private key in Base64 format Doc
- A copy of the root and intermediate CA certificate (Sometimes called the certificate chain).
Assumptions
- kubectl access to the Rancher local cluster
- The certificate is stored as server.crt
- The private key is stored as tls.key
- The root CA is stored as root-ca.crt
- The intermediate CA is stored as intermediate-ca.crt
Resolution
Install Steps
- Verify private key doesn't have a passphrase using the command listed below. If the following command asks for a passphrase, then it is password-protected, and this must be removed.
openssl rsa -in tls.key -noout
mv tls.key tls-pass.key
openssl rsa -in tls-pass.key -out tls.key
Enter your passphrase here
NB: Order is important!
cat server.crt intermediate-ca.crt root-ca.crt > tls.crt
kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-bk.yaml
kubectl -n cattle-system delete secret tls-rancher-ingress
kubectl -n cattle-system create secret tls tls-rancher-ingress \
--cert=tls.crt \
--key=tls.key
Verification Steps
- Run the following command to verify the new certificate. (Replace Rancher with your Rancher URL):
curl --insecure -v https://<<Rancher>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
- Example output:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=Domain Control Validated; CN=*.rancher.tools
* start date: Jul 2 00:42:01 2019 GMT
* expire date: May 2 00:19:41 2020 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
* SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host lab.rancher.tools left intact
- NOTE: Some browsers will cache the certificate. So you might have to close the browser and reopen it in order to get the new certificate.
Rollback Steps
- Backup the new certificate:
kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-new.yaml
kubectl -n cattle-system delete secret tls-rancher-ingress
kubectl -n cattle-system apply -f tls-rancher-ingress-bk.yaml