LetsEncrypt cert autorenewal on harvester

I have created a github issue/feature request and asked in the slack channel for harvester but thought I’d cast my net a bit larger and post it the the community here. Does anyone have any guidance on automagically applying renewed LE certs on harvester? a cert-manager hack in the embedded rancher or even an external script running certbot talking to a harvester API or an SCP to the master node.

Well, you got me thinking. It’s been a few weeks since your post. Did you figure it out? Do you need to manage Harvester’s server cert separately, not importing the Harvester instance in a Rancher Server? I imagine the solution will differ somewhat on that point.

certificate management is always an issue, in this case I want to use Lets Encrypt. I am installing rancher manager outside of the harvester cluster and even that process is confusing (rancher manager 2.x to be supported for harvester 1.1.1 uses an nginx-ingress-controller) but k3s that I am installing it on uses traefik. The documentation is all over the place (harvesterhci.io, suse, etc.) The suse@home repo (which is an excellent resource) expects you to have an existing SUSE relationship/contract. The slack server is full of devs where as I have been a glorified script kiddie all my life.

To answer your question, yes, I imagine the solution will be different for not only harvester… but also the installation method of rancher manager (as I am discovering).

It would be nice if SUSE/Rancher Labs team provided an option in certificate management for using LE after initial installation but I imagine that would be difficult as you can not assume which challenge method the user is going to use or if it is air gapped or their DNS provider, lots of spaghetti and weird corner cases that I personally would not want to support.

1 Like