How to change the Rancher v2.x Server certificate to an externally created certificate.

It’s often necessary to migrate from a self-signed or LetsEncrypt certificate to an externally created certificate like DigiCert or Comodo in Rancher v2.x.

Pre-requisites

Resolution

openssl rsa -in tls.key -noout
mv tls.key tls-pass.key
openssl rsa -in tls-pass.key -out tls.key
Enter your passphrase here

NB: Order is important!

cat server.crt intermediate-ca.crt root-ca.crt > tls.crt
kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-old.yaml
kubectl -n cattle-system delete secret tls-rancher-ingress
kubectl -n cattle-system create secret tls tls-rancher-ingress \
--cert=tls.crt \
--key=tls.key
helm get values rancher -n cattle-system -o yaml > values.yaml

NB: You should change the version flag to match your current Rancher version.

helm upgrade rancher rancher-latest/rancher \
  --namespace cattle-system \
  -f values.yaml \
  --version=2.5.5
curl -k -v https://Rancher 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.rancher.tools
*  start date: Jul  2 00:42:01 2019 GMT
*  expire date: May  2 00:19:41 2020 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host lab.rancher.tools left intact

NB: Some browsers will cache the certificate. So you might to close the browser and reopen it to get the new certificate. How to clear the SSL state in a browser.

NB: You will need to do this for each cluster managed by Rancher.

Rollback

kubectl -n cattle-system delete secret tls-rancher-ingress
kubectl -n cattle-system apply -f tls-rancher-ingress-old.yaml
comments powered by Disqus