How to rotate the Rancher SSL certificate with a single node Docker installation

Follow
Table of Contents

Task

One installation method for Rancher 2.x is to run Rancher in a Docker container on a single node. This approach is designed for a short-lived development/test environment and bundles a minimal footprint of all the components needed by Rancher into the container image.

When the default self-signed SSL certificate option is used, the lifetime of the SSL certificate is 1 year. If the container is run for a long period the certificate will need to be rotated. The below sections provide steps needed to rotate the certificate for different versions of Rancher.

Pre-requisites

Resolution

To perform the certificate rotation, please ensure a backup of the Rancher container has been completed, this can be used as a rollback in the event any previous data needs to be restored.

The process is different between different versions of Rancher, please select your version below as needed and set the container ID of the Rancher container.

Rancher v2.4.x and above

If the certificate is expiring in less than 90 days, certificate rotation occurs automatically. When expiry falls within this period, certificates will be rotated on the next start of the Rancher container.

rancher_container_id=xxx

docker restart ${rancher_container_id}

Rancher v2.3.x

rancher_container_id=xxx

docker exec -ti ${rancher_container_id} bash
cp -rp /var/lib/rancher/k3s/server/tls /var/lib/rancher/k3s/server/tls.backup
cd /var/lib/rancher/k3s/server/tls
rm -rf *.crt *.key temporary-certs/
cp -p /var/lib/rancher/k3s/server/tls.backup/*-ca.* .
exit

docker restart ${rancher_container_id}

Rancher v2.2.x

rancher_container_id=xxx

docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/tls/localhost.crt /var/lib/rancher/management-state/tls/localhost.crt.backup
docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/tls/localhost.key /var/lib/rancher/management-state/tls/localhost.key.backup

docker restart ${rancher_container_id}

Rancher v2.0.14+, v2.1.9+

rancher_container_id=xxx

docker exec ${rancher_container_id} mv /var/lib/rancher/management-state/certs/bundle.json /var/lib/rancher/management-state/certs/bundle.json.backup

docker restart ${rancher_container_id}
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.