Upgrade SSL certificates on Rancher HA Servers

Hello,

I was wondering if anyone know what the upgrade procedure would look like to upgrade the SSL certificates used in the step of generating the HA server script? I have provided some certificates which I notice will expire in a few months and would like to prepare for that.

Best regards,

Alejandro

You can edit the certificate in Infrastructure -> Certificates

1 Like

Hi Vincent,

as always thanks for your reply! After this is done I can see that the /var/lib/rancher/etc/ssl/ca.crt file has changed in all of my hosts, does something need to be restarted after this? When I try to add a host to the environment now, I get some SSL error connecting, (the cert in the load balancer is valid and matches the one added to the cluster)

`requests.exceptions.SSLError: (ā€œbad handshake: Error([(ā€˜SSL routinesā€™, ā€˜SSL3_GET_SERVER_CERTIFICATEā€™, ā€˜certificate verify failedā€™)],)ā€,)

Thanks!

Alejandro
`

Hi @alexR,

Sorry for the delay in response. From this error I can discern you are using self-signed certificates, correct (this would be the case if rancher generated the certs)?

Are you adding hosts using a specific cloud provider integration, or the custom method? If you are doing custom registration, it would be necessary to copy the new ca.crt to /var/lib/rancher/etc/ssl/ folder. The error indicates that the host you are trying to register doesnā€™t trust the CA that signed the certificate presented by your load balancer.

1 Like

Hi!

Thank you very much for the reply. I finally got it working, I was actually using our own valid certificates. But the problem seemed to be that I needed to delete the /var/lib/rancher/state directory on the docker hosts (used as resources).

Best regards and again thank you!

Alejandro

Glad you figured it out!

James