This document covers setting up Rancher using an AWS SSL certificate and an ALB (Application Load Balancer).


  • Running Rancher management servers on AWS
  • Cluster Admin or higher permissions in Rancher.
  • The following permissions in AWS
    • Create/Edit an NLB (Network Load Balancer)
    • Create/Edit an target groups


Configure the SSL certificate

Create the Target Group

  • Log into the AWS Console to get started.
  • Use Create a Target Group to create a Target group using the data in the tables below to complete the procedure:
    • Target Group Name: rancher-http-80
    • Protocol: http
    • Port: 80
    • Target type: instance
    • VPC: Choose your VPC
    • Protocol (Health Check): http
    • Path (Health Check): /healthz
  • Use Register Targets to Rancher management servers making sure to use the port 80.

Create the ALB

  • From your web browser, navigate to the Amazon EC2 Console.
  • From the navigation pane, choose LOAD BALANCING > Load Balancers.
  • Click Create Load Balancer.
  • Choose Application Load Balancer.
  • Complete the Step 1: Configure Load Balancer form:
    • Basic Configuration
      • Name: rancher-http
      • Scheme: internet-facing
      • IP address type: ipv4
    • Listeners
      • Add the Load Balancer Protocols and Load Balancer Ports below.
      • HTTP: 80
      • HTTPS: 443
    • Availability Zones
      • Select Your VPC and Availability Zones.
  • Complete the Step 2: Configure Security Settings form.
    • Configure the certificate you want to use for SSL termination.
  • Complete the Step 3: Configure Security Groups form.
  • Complete the Step 4: Configure Routing form.
    • From the Target Group drop-down, choose Existing target group.
    • Add target group rancher-http-80.
  • Complete Step 5: Register Targets. Since you registered your targets earlier, all you have to do it click Next: Review.
  • Complete Step 6: Review. Look over the load balancer details and click Create when you’re satisfied.
  • After AWS creates the ALB, click Close.

Configure External TLS Termination for Rancher

You need to add the option --set tls=external to your Rancher install, per the following example: helm install rancher rancher-latest/rancher --namespace cattle-system --set --version 2.3.6 --set tls=external


Run the following command to verify new certificate:

curl --insecure -v https://<<Rancher Hostname>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Example output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*
*  start date: Jul  2 00:42:01 2019 GMT
*  expire date: May  2 00:19:41 2020 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host left intact

NOTE: Some browsers will cache the certificate. Details on how to clear the SSL state in a browser can be found here.