How to rotate certificates after they've expired?

I wish I’d been aware of this about a month ago.

Rancher stopped accepting ldap-based webUI logins and after restarting the docker instance it won’t start at all.

Significant error in docker logs seems to be:
time=“2021-04-05T16:20:20.157240593Z” level=fatal msg=“starting tls server: Get https://localhost:6444/apis/ x509: certificate has expired or is not yet valid”

And Rancher Docs: Certificate Rotation says that
“Rotating these certificates is important before the certificates expire”


Now what?

found this: working on it

The above link includes references to rotating certs that have expired but still requires use of the webUI. Do I need to get the working somehow (is something else keeping it from starting than the expired certs?) or do I need some other method from a CLI?


I had the same problem as you.
My LocalCluster has his cert expired after one year after some search on google.
I found that issue certificate expired and rotate · Issue #1621 · k3s-io/k3s · GitHub

With this gist k3s cert rotation · GitHub

After that my rancher setup work fine again.

Plz do backup before :smiley:


Turns out I had two problems. I had to fix the webUI, then it was simple to rotate the certs.

We’re a small shop running an 11 node K8S cluster on bare metal, and I run rancher on a VM in a docker container. At some point recently rancher changed their requirements so that their docker image now needs to run in privileged mode. Changed that and it broke out of its restart loop.

All is well…