How to handle Let's Encrypt certificate renew when Rancher is using it


How to handle correctly Let’s Encrypt certificate renew in Rancher?

We ran a problem when our certificate issued by Let’s Encrypt used to make Rancher secure expires. The kubernetes nodes, Rancher created cluster, start to complain about the expired certificate and we need to do the steps below:
1 - Issue a new certificate for our domain
2 - Update certificate information on Rancher, standalone install
3 - Update the ca-checksum on the the deployment and daemonsets
4 - restart all pods to get the new certificate

Are there an easier way to do that?
Are some correct way to do that? Is something different than the steps above?
How to automate these steps?



Hi All!

I’ve figured out how to automate the process of handle certificates renewing. We have a job that renew the certificates via lets encrypt API and copies the new files to the Rancher server, restart the server to use the new certificates and them you need to edit the deployment of cattle-agent-cluster and the daemonset of the cattle-node-agent to update the field called CATTLE_CA_CHECKSUM with the new sha256 sum of the new CA CERT generated by the renewing process. To update it with a simple process you can get the new checksum of the file chain.pem and then patch the deployment and daemonset with the commands bellow:

newCheckSum=$(sha256sum chain.pem | cut -f1 -d" ")
kubectl patch deployment cattle-cluster-agent -n cattle-system --type json -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/env/1/value", "value":"'${newCheckSum}'"}]'
kubectl patch daemonset cattle-node-agent -n cattle-system --type json -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/env/2/value", "value":"'${newCheckSum}'"}]'