Access to the Certificates Store

I’d like to access the Infrastructure -> Certificates store to install stored certs on a one of my services.

I found this post Alarms in rancher that show setting some magic labels to get rancher to set api creds as environment variables. From there I found the certificates endpoint in the api (/v1/projects/nnn/certificates), but it doesn’t list the keys.

Is there some way to get the keys for the certificates, or a better method?

If its not listing them is for security, there’s really no point in hiding them from any user role that can shell into the lb containers. From there you can read them in /etc/haproxy/certs.

Upgrading soon to 1.0, but currently on:
Rancher v0.63.1
Cattle v0.155.1
User Interface v0.95.0
Rancher Compose v0.7.2

This GH issue might help you out. I know @janeczku @janeczku1 has been using certificates so he might be able to help?

The keys are write-only in the API. Being able to find a way to get the key through launching a balancer, execing and inspecting files is very different than offering them up on a platter and always broadcasting them to the API & UI.

If we were to do anything about this it would probably be something like a flag, writable only on create, that sets whether the key should be readable or not for that specific certificate resource.

Thanks for the links, but the only workaround listed was running letsencrypt, which I don’t think I can use my current certificates with.

Although it’s possible, because the LoadBalancer service containers have access, there doesn’t look like there’s a way for us mere mortals to access the full key and certs.

As a workaround I populated my key and cert chain in metadata via a custom rancher catalog. Then in my entrypoint script I save metadata to a file my haproxy install can consume.

Definitely not as clean as using the cert store would be, but it will get me going for now.

in entrypoint.sh

curl -Ss -o /usr/local/etc/haproxy/cert.pem http://rancher-metadata/latest/self/service/metadata/ssl_pem

docker-compose.yml

 web-proxy:
  ports:
    - 80:80
    - 443:443
    - 8080:8080
  labels:
    io.rancher.container.pull_image: always
  image: *****/haproxy:latest

rancher-compose.yml

.catalog:
  name: web-proxy
  version: "0"
  description: Haproxy frontend proxy for Web App
  uuid: web-proxy-0
  questions:
    - variable: cert
      label: SSL Certificate
      description: CRT
      type: multiline
      required: true
    - variable: intermediate
      label: SSL Intermediate Certs
      description: Intermediate
      type: multiline
      required: true
    - variable: key
      label: SSL Private Key
      description: Private Key
      type: multiline
      required: true

web-proxy:
  scale: 1
  health_check:
    port: 8080
    interval: 10000
    unhealthy_threshold: 2
    request_line: GET / HTTP/1.1
    healthy_threshold: 2
    response_timeout: 2000
  metadata:
    ssl_pem: |
      ${cert}
      ${intermediate}
      ${key}