Certificates updated ==> disaster happened

mjordan79 · March 14, 2022, 3:18pm

Hello. I have created a Kubernetes cluster using RKE (1 single node). I’ve installed Rancher 2.x afterwards using helm and the following parameters:

kubectl create namespace cattle-system && \
    helm repo add rancher-stable https: releases.rancher.com/server-charts/stable && \
    helm install rancher rancher-stable /rancher \
    --namespace cattle-system \
    --set hostname=myhostname.it \
    --set bootstrapPassword=admin \
    --set ingress.tls.source=secret \
    --set privateCA=true

I then set the certificates of my company to proceed with the installation:

kubectl -n cattle-system create secret tls tls-rancher-ingress \
	--cert=certs/tls.crt \
	--key=certs/tls.key

and the CA:

kubectl -n cattle-system create secret generic tls-ca \
  --from-file=cacerts.pem=./certs/cacerts.pem

I then proceeded to create a new cluster and attaching 2 new nodes to it for deploying application.
Until now, everything’s fine. Certificates will expire in 2 days, so I have updated the new certificates following the documentation:

The CA:

kubectl -n cattle-system create secret generic tls-ca \
  --from-file=certs/2022/cacerts.pem \
  --dry-run=client --save-config -o yaml | kubectl apply -f -

And the certs:

kubectl -n cattle-system create secret tls tls-rancher-ingress \
  --cert=certs/2022/tls.crt \
  --key=certs/2022/tls.key \
  --dry-run=client --save-config -o yaml | kubectl apply -f -

I then proceeded to rotate the certificates, I don’t know if this was needed but I have followed the documentation at:

I’ve done rke cert rotate and then a rke cert rotate --rotate-ca
Kubectl was pointing to the local cluster at the time I’ve launchede these commands.

Result: The UI doesn’t allow me to login (An error occured logging in. Please try again.) and the kubectl command doesn’t communicate with the cluster anymore:
Error from server (InternalError): an error on the server ("{\"Code\":{\"Code\":\"ServerError\",\"Status\":500},\"Message\":\"Get \\\"https://10.43.0.1:443/apis/management.cattle.io/v3/clusters/c-5sph6?timeout=15m0s\\\": x509: certificate signed by unknown authority (possibly because of \\\"crypto/rsa: verification error\\\" while trying to verify candidate authority certificate \\\"kube-ca\\\")\",\"Cause\":null,\"FieldName\":\"\"}") has prevented the request from succeeding

Is there something I can do to save this installation? Please help me.

Topic		Replies	Views
Certificate issue on cluster upgraded from annual certs to 10 year certs Rancher 2.x	0	520	September 26, 2019
Rotate self signed certificate Rancher 2.x	0	622	July 10, 2020
SSL certificate renewal Rancher 2.x	8	3910	December 2, 2020
Rancher 2.x HA install and SSL termination Rancher 2.x	5	2154	February 19, 2019
RKE cluster administration not accessible after changing SSL certificate Rancher 2.x	5	1888	January 14, 2021

Certificates updated ==> disaster happened

Related Topics