How to use External TLS Termination with AWS

This document covers setting up Rancher using an AWS SSL certificate and an ALB (Application Load Balancer).

Pre-requisites

Resolution

Configure the SSL certificate

Create the Target Group

Create the ALB

Configure External TLS Termination for Rancher

You need to add the option --set tls=external to your Rancher install, per the following example: helm install rancher rancher-latest/rancher --namespace cattle-system --set hostname=mmattox-example.support.rancher.space --version 2.3.6 --set tls=external

Verification

Run the following command to verify new certificate:

curl --insecure -v https://<<Rancher Hostname>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Example output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.rancher.tools
*  start date: Jul  2 00:42:01 2019 GMT
*  expire date: May  2 00:19:41 2020 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host mmattox-example.support.rancher.space left intact

NOTE: Some browsers will cache the certificate. Details on how to clear the SSL state in a browser can be found here.

comments powered by Disqus