Adding TLS Secrets
Kubernetes will create all the objects and services for Rancher, but it will not become available until we populate the tls-rancher-ingress
secret in the cattle-system
namespace with the certificate and key.
Combine the server certificate followed by any intermediate certificate(s) needed into a file named tls.crt
. Copy your certificate key into a file named tls.key
.
For example, acme.sh provides server certificate and CA chains in fullchain.cer
file.
This fullchain.cer
should be renamed to tls.crt
& certificate key file as tls.key
.
Use kubectl
with the tls
secret type to create the secrets.
kubectl -n cattle-system create secret tls tls-rancher-ingress \ --cert=tls.crt \ --key=tls.key
If you want to replace the certificate, you can delete the |
Using a Private CA Signed Certificate
If you are using a private CA, Rancher requires a copy of the private CA’s root certificate or certificate chain, which the Rancher Agent uses to validate the connection to the server.
Create a file named cacerts.pem
that only contains the root CA certificate or certificate chain from your private CA, and use kubectl
to create the tls-ca
secret in the cattle-system
namespace.
kubectl -n cattle-system create secret generic tls-ca \ --from-file=cacerts.pem=./cacerts.pem
The configured |
Updating a Private CA Certificate
Follow the steps on this page to update the SSL certificate of the ingress in a Rancher high availability Kubernetes installation or to switch from the default self-signed certificate to a custom certificate.