Rotate self signed certificate

Hi everyone,

I stumbled upon an issue with certificate rotation.

We’ve deployed rancher on kubernetes with rke and self signed certificate. Our certificate expired Wednesday at 5 pm which leads to kubectl being unable to contact kubernetes cluster (X509 certificate expired or not yet valid).

As rancher ui was still available I tried to rotate certificate only to see that I would have to do it through rke and not the ui since it is an imported cluster(if I understand correctly).

So I tried to use rke like that rke cert rotate without success. It ran correctly but I still could not use kubectl.

I tried rke cert rotate --rotate-ca which appears to run correctly as well but kubectl was still unable to contact cluster. More on that, it triggered an error on rancher ui telling a CA certificate mismatch and thus I was unable to log on rancher ui.

Before that I also tried to update tls-rancher-ingress and tls-ca and upgrade rancher with helm upgrade but that didn’t work either.

I finally decided to reinstall the cluster because nothing critical was running but in the case I could not reinstall the cluster what should I have done to generate new certificate and tell rancher to use it ?

Setup :

rancher 2.3.7
rke 1.0.8 (iirc)
kubernetes 1.17 for the imported cluster deployed with rke

1 Like