Updating SSL cert in Rancher v2.x with the same CA

Follow
Table of Contents

Task

How do I renew my SSL/TLS certificate for Rancher?

Pre-requisites

  • Running Rancher v2.x
  • Rancher on a Kubernetes Cluster see documentation for more information
  • The new certificate must have the same root CA as the current certificate.
  • Used the option "Bring your own certificate" when installing Rancher Doc
  • A copy of the certificate and private key in Base64 format Doc
  • A copy of the root and intermediate CA certificate (Sometimes called the certificate chain).

Assumptions

  • kubectl access to the Rancher local cluster
  • The certificate is stored as server.crt
  • The private key is stored as tls.key
  • The root CA is stored as root-ca.crt
  • The intermediate CA is stored as intermediate-ca.crt

Resolution

Install Steps

  1. Verify private key doesn't have a passphrase using the command listed below. If the following command asks for a passphrase then it is password protected and this must be removed.

    openssl rsa -in tls.key -noout
  2. Remove the passphrase (skip this step if the previous command didn't ask for a passphrase):

    mv tls.key tls-pass.key
    openssl rsa -in tls-pass.key -out tls.key
    Enter your passphrase here
  3. Create the certificate chain. If you have additional intermediate certs please add them at this step.

    NB: Order is important!

    cat server.crt intermediate-ca.crt root-ca.crt > tls.crt
  4. Backup the current certificate:

    kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-bk.yaml
  5. Remove the current certificate:

    kubectl -n cattle-system delete secret tls-rancher-ingress
  6. Install the new certificate:

    kubectl -n cattle-system create secret tls tls-rancher-ingress \
    --cert=tls.crt \
    --key=tls.key

Verification Steps

  • Run the following command to verify the new certificate. (Replace Rancher with your Rancher URL):
    curl --insecure -v https://<<Rancher>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
  • Example output:
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server did not agree to a protocol
    * Server certificate:
    *  subject: OU=Domain Control Validated; CN=*.rancher.tools
    *  start date: Jul  2 00:42:01 2019 GMT
    *  expire date: May  2 00:19:41 2020 GMT
    *  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
    *  SSL certificate verify ok.
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
    * old SSL session ID is stale, removing
    * Mark bundle as not supporting multiuse
    * Connection #0 to host lab.rancher.tools left intact

Rollback Steps

  1. Backup the new certificate:

    kubectl -n cattle-system get secret tls-rancher-ingress -o yaml > tls-rancher-ingress-new.yaml
  2. Remove the new certificate:

    kubectl -n cattle-system delete secret tls-rancher-ingress
  3. Re-install the old certificate:

    kubectl -n cattle-system apply -f tls-rancher-ingress-bk.yaml
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.