public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-26 22:58:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added new section for common cert, updated link to page in 2.0-2.4

Browse Source
This commit is contained in:
Jennifer Travinski
2022-05-24 16:48:51 -04:00
parent 102f13f79c
commit 3be66c4ab4
2 changed files with 38 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.0-v2.4/en/installation/resources/tls-secrets/_index.md
+1 -1
View File
@@ -35,4 +35,4 @@ kubectl -n cattle-system create secret generic tls-ca \
# Updating a Private CA Certificate
Follow the steps on [this page]({{<baseurl>}}/rancher/v2.0-v2.4/en/installation/resources/update-ca-cert) to update the SSL certificate of the ingress in a Rancher [high availability Kubernetes installation]({{<baseurl>}}/rancher/v2.0-v2.4/en/installation/install-rancher-on-k8s/) or to switch from the default self-signed certificate to a custom certificate.
Follow the steps on [this page]({{<baseurl>}}/rancher/v2.0-v2.4/en/installation/resources/update-rancher-cert) to update the SSL certificate of the ingress in a Rancher [high availability Kubernetes installation]({{<baseurl>}}/rancher/v2.0-v2.4/en/installation/install-rancher-on-k8s/) or to switch from the default self-signed certificate to a custom certificate.
content/rancher/v2.0-v2.4/en/installation/resources/update-ca-cert/_index.md → content/rancher/v2.0-v2.4/en/installation/resources/update-rancher-cert/_index.md
+37 -6
View File
@@ -1,8 +1,10 @@
---
title: Updating a Private CA Certificate
title: Updating the Rancher Certificate
weight: 10
---
# Updating a Private CA Certificate
Follow these steps to update the SSL certificate of the ingress in a Rancher [high availability Kubernetes installation]({{<baseurl>}}/rancher/v2.0-v2.4/en/installation/install-rancher-on-k8s/) or to switch from the default self-signed certificate to a custom certificate.
A summary of the steps is as follows:
@@ -14,7 +16,7 @@ A summary of the steps is as follows:
The details of these instructions are below.
# 1. Create/update the certificate secret resource
## 1. Create/update the certificate secret resource
First, concatenate the server certificate followed by any intermediate certificate(s) to a file named `tls.crt` and provide the corresponding certificate key in a file named `tls.key`.
@@ -35,7 +37,7 @@ $ kubectl -n cattle-system create secret tls tls-rancher-ingress \
--dry-run --save-config -o yaml | kubectl apply -f -
```
# 2. Create/update the CA certificate secret resource
## 2. Create/update the CA certificate secret resource
If the new certificate was signed by a private CA, you will need to copy the corresponding root CA certificate into a file named `cacerts.pem` and create or update the `tls-ca secret` in the `cattle-system` namespace. If the certificate was signed by an intermediate CA, then the `cacerts.pem` must contain both the intermediate and root CA certificates (in this order).
@@ -54,7 +56,7 @@ $ kubectl -n cattle-system create secret generic tls-ca \
--dry-run --save-config -o yaml | kubectl apply -f -
```
# 3. Reconfigure the Rancher deployment
## 3. Reconfigure the Rancher deployment
> Before proceeding, generate an API token in the Rancher UI (<b>User > API & Keys</b>) and save the Bearer Token which you might need in step 4.
@@ -89,7 +91,7 @@ helm upgrade rancher rancher-stable/rancher \
When the upgrade is completed, navigate to `https://<Rancher_SERVER>/v3/settings/cacerts` to verify that the value matches the CA certificate written in the `tls-ca` secret earlier.
# 4. Reconfigure Rancher agents to trust the private CA
## 4. Reconfigure Rancher agents to trust the private CA
This section covers three methods to reconfigure Rancher agents to trust the private CA. This step is required if either of the following is true:
@@ -142,4 +144,33 @@ With this method you are recreating the Rancher agents by running a set of comma
First, generate the agent definitions as described here: https://gist.github.com/superseb/076f20146e012f1d4e289f5bd1bd4971
Then, connect to a controlplane node of the downstream cluster via SSH, create a Kubeconfig and apply the definitions:
https://gist.github.com/superseb/b14ed3b5535f621ad3d2aa6a4cd6443b
https://gist.github.com/superseb/b14ed3b5535f621ad3d2aa6a4cd6443b
# Updating from a Private CA Certificate to a Common Certificate
It is possible to perform the opposite procedure as shown above: you may change from a private certificate to a common, or non-private, certificate. The steps involved are very similar to the above, with some exceptions.
The steps needed to accomplish this are as follows:
1. Perform [Step 1 above](#1-create-update-the-certificate-secret-resource).
1. Delete the `tls-ca` secret as it is no longer needed.
>**Note:** You may optionally save a copy of the `tls-ca` secret if desired.
**To save:**
```
kubectl -n cattle-system get secret tls-ca -o yaml > tls-ca.yaml
```
**To delete:**
```
kubectl -n cattle-system delete secret tls-ca
```
1. On Rancher upgrade, the `privateCA` parameter **must** be either removed or set to `false` because the CA is valid:
```
set privateCA=false
```
1. `CATTLE_CA_CHECKSUM` environment variable on the downstream cluster agents should be removed or set to "" (an empty string).