How to use External TLS Termination with AWS

Table of Contents


This document covers setting up Rancher using an AWS SSL certificate and an ALB (Application Load Balancer).


  • Running Rancher management servers on AWS


Configure the SSL certificate

Create the Target Group

  1. Log into the AWS Console to get started.
  2. Use Create a Target Group to create a Target group using the data in the tables below to complete the procedure:

    - Target Group Name: rancher-http-80 - Protocol: http - Port: 80 - Target type: instance - VPC: Choose your VPC - Protocol (Health Check): http - Path (Health Check): /healthz

  3. Use Register Targets to Rancher management servers making sure to use the port 80.

Create the ALB

  1. From your web browser, navigate to the Amazon EC2 Console.
  2. From the navigation pane, choose LOAD BALANCING > Load Balancers.
  3. Click Create Load Balancer.
  4. Choose Application Load Balancer.
  5. Complete the Step 1: Configure Load Balancer form:

    - Basic Configuration - Name: rancher-http - Scheme: internet-facing - IP address type: ipv4 - Listeners - Add the Load Balancer Protocols and Load Balancer Ports below. - HTTP: 80 - HTTPS: 443 - Availability Zones - Select Your VPC and Availability Zones.

  6. Complete the Step 2: Configure Security Settings form.

    - Configure the certificate you want to use for SSL termination.

  7. Complete the Step 3: Configure Security Groups form.

  8. Complete the Step 4: Configure Routing form.

    - From the Target Group drop-down, choose Existing target group. - Add target group rancher-http-80.

  9. Complete Step 5: Register Targets. Since you registered your targets earlier, all you have to do it click Next: Review.

  10. Complete Step 6: Review. Look over the load balancer details and click Create when you’re satisfied.
  11. After AWS creates the ALB, click Close.

Configure External TLS Termination for Rancher

You need to add the option --set tls=external to your Rancher install, per the following example: helm install rancher rancher-latest/rancher --namespace cattle-system --set --version 2.3.6 --set tls=external


Run the following command to verify new certificate:

curl --insecure -v https://<<Rancher Hostname>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Example output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*
*  start date: Jul  2 00:42:01 2019 GMT
*  expire date: May  2 00:19:41 2020 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host left intact

NOTE: Some browsers will cache the certificate. Details on how to clear the SSL state in a browser can be found here.

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.