Changing cacert / cluster unavailable

I have one single host rancher installation and we have created some clusters already.
Now we need to change the certificates so that the company control the certs.

The problem we encounter is that when we change the CA the already created clusters loose contact with the rancher host.

I will explain the steps I have done and the results.

First I started the rancher with the default command below.

Clean installation.

docker run -d --restart=unless-stopped \

-p 80:80 -p 443:443 \

-v /opt/rancher/:/var/lib/rancher \

rancher/rancher:latest

It starts rancher with default cattle-ca

Then I created a new cluster ”cluster1defaultca” with only one node for testing

Then I stopped rancher and started it again with my certificates.

Install rancher with company certs.

docker run -d --restart=unless-stopped
-p 80:80 -p 443:443
-v /opt/rancher/:/var/lib/rancher
-v /home/serverdrift/cert/rancher2.cer:/etc/rancher/ssl/cert.pem
-v /home/serverdrift/cert/rancher2.key:/etc/rancher/ssl/key.pem
-v /home/serverdrift/cert/ca.crt:/etc/rancher/ssl/cacerts.pem
rancher/rancher:latest

Now when I check the cacert it’s my company’s cert.

And the rancher shows that my cluster is unavailable.

Any ideas on how I will will get contact with my cluster again ?

Creating new cluster works fine with the new certificates it’s only the pre installed clusters that fails.

This is a known issue, see https://github.com/rancher/rancher/issues/14731. There are some workarounds in that issue as well.