How to change rancher single-install cert from self-signed cert to signed by CA cert

Question

How to change rancher single-install cert from self-signed cert to signed by CA cert?

I tried to backup the rancher container and created a new one with --no-cacerts. All the data seems gone. Afterwards, I created new admin account and tried to remove all the data in /var/lib/rancher/ and re-restore data again. The container log says that rancher is:

[INFO] waiting for server to become available: Get https://localhost:6443/version?timeout=30s: x509: certificate signed by unknown authority

I doubt that there're some information embedded in the rancher data directory (/var/lib/rancher/) and it contains the original self-signed cert.

Is there a good way to safely change certification?

Note: rotating the cluster certs is not helping since it just sign another self assigned one and restarts all the system pods. — Adam, Oct 26 '19 at 17:44

score 1 · Answer 1 · answered Jan 12 '20 at 16:43

Not really a solution to your problem but, starting with Rancher 2.0, Rancher have built-in support for Lets Encrypt certificates. The only parameter needed to enable this, is --acme-domain rancher.yourdomain.com. It will use the http-01 challenge to verify, so make sure port 80 is open from the container.

How to change rancher single-install cert from self-signed cert to signed by CA cert

1 Answers1