Skip to content

Instantly share code, notes, and snippets.

@clemenko

clemenko/deploy_rancher_with_certs.md

Last active January 14, 2025 17:24
Show Gist options
  • Save clemenko/251a90a28e6a8bbc8be9427480babb3a to your computer and use it in GitHub Desktop.
Save clemenko/251a90a28e6a8bbc8be9427480babb3a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
deploy_rancher_with_certs.md

setting up Rancher with certs - example

Docs : https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/add-tls-secrets

install rke2

curl -sfL https://get.rke2.io |  sh -

set up env

echo "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/usr/local/bin/:/var/lib/rancher/rke2/bin/" >> ~/.bashrc
source ~/.bashrc

install helm

curl -s https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

add repos

helm repo add rancher-latest https://releases.rancher.com/server-charts/latest --force-update 
helm repo add jetstack https://charts.jetstack.io --force-update

install cert-manager

helm upgrade -i cert-manager jetstack/cert-manager -n cert-manager --create-namespace --set crds.enabled=true

add secrets

kubectl create ns cattle-system

kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=/root/star.rfed.io.cert --key=/root/star.rfed.io.key

kubectl -n cattle-system create secret generic tls-ca --from-file=/root/cacerts.pem

install rancher with tls certs

helm upgrade -i rancher rancher-latest/rancher -n cattle-system --create-namespace --set hostname=rancher.rfed.io --set bootstrapPassword=bootStrapAllTheThings --set replicas=1 --set ingress.tls.source=secret --set ingress.tls.secretName=tls-rancher-ingress --set privateCA=true
@clemenko
Copy link
Author

Brandon is really sharp. map out on that thread how your network is laid out.

@joshyorko
Copy link

Hi @andisugandi,

I know this is probably unrelated to your connection timeout issue with the Rancher endpoint, but I wanted to share a recommendation regarding the method you used to install the certificates.

I’ve tried a similar approach in the past, and while it wasn’t the cause of your specific issue, it did fail for me due to Rancher not receiving the full certificate chain. This led to problems with TLS handshake validation.

Instead, I’d highly recommend following the method outlined in [Techno Tim’s guide](https://technotim.live/posts/kube-traefik-cert-manager-le/) for setting up wildcard certificates with Traefik and cert-manager. His guide walks you through using DNS validation with your DNS provider’s API token to request certificates directly from Let’s Encrypt. You can even practice with staging certificates, but I’d suggest going “full send” and using production.

Why This Matters:

Rancher handles certificates differently and requires the full certificate chain for proper TLS validation. If this chain isn’t provided, it can lead to handshake failures. To ensure everything works smoothly, you need to prepare your certificates and secrets before installing Rancher.

The Correct Process:

Assuming you’ve followed Tim’s guide and cert-manager has issued certificates, you should have a certificate and corresponding secret in your namespace. For example:

➜ kubectl get certificates
NAME       READY   SECRET         AGE
yorko-io   True    yorko-io-tls   11m

➜ kubectl get secrets
NAME           TYPE                DATA   AGE
yorko-io-tls   kubernetes.io/tls   2      13m

Now, here’s how you prepare these certificates for Rancher:

Steps:

  1. Create the namespace for Rancher:

    kubectl create namespace cattle-system

  2. Add the Rancher Helm repository and update it:

    helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
helm repo update

  3. (Optional) Generate a Rancher admin password:

    RANCHER_PASSWORD=$(openssl rand -base64 12)

  4. Extract the tls.crt from your cert-manager secret:

    kubectl get secret yorko-io-tls -n default -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt

  5. Extract the tls.key from your cert-manager secret:

    kubectl get secret yorko-io-tls -n default -o jsonpath='{.data.tls\.key}' | base64 --decode > tls.key

  6. Download the Let’s Encrypt CA certificate:

    curl -o letsencrypt-ca.pem https://letsencrypt.org/certs/isrgrootx1.pem

  7. Combine the domain certificate and CA certificate:

    cat tls.crt > combined-tls.crt && cat letsencrypt-ca.pem >> combined-tls.crt

  8. Create a Kubernetes secret for the CA certificate:

    kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=letsencrypt-ca.pem --dry-run=client -o yaml | kubectl apply -f -

  9. Create or update the Rancher TLS secret for the ingress:

    kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=combined-tls.crt --key=tls.key --dry-run=client -o yaml | kubectl apply -f -

  10. Install or upgrade Rancher using Helm:

    helm upgrade -i rancher rancher-latest/rancher -n cattle-system --create-namespace \
  --set hostname=rancher.yorko.io \
  --set bootstrapPassword=bootStrapAllTheThings \
  --set replicas=1 \
  --set ingress.tls.source=secret \
  --set ingress.tls.secretName=tls-rancher-ingress \
  --set privateCA=true

Why This Way Works:

Rancher requires the full certificate chain to be presented during the TLS handshake. The single domain certificate issued by Let’s Encrypt doesn’t include the intermediate CA, which some clients need to validate the connection. By combining the certificates and properly configuring the Helm chart, you ensure compatibility across all clients and prevent TLS handshake issues.

I hope this helps resolve any certificate-related issues and simplifies your setup for the future! Let me know if you have questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment