How to use a custom SSL certificate with Rancher web UI?

Question

I have a Rancher running inside a Kubernetes cluster. It is installed using helm chart. The Rancher web UI is exposed using an ingress.

There is a DNS record for this ingress in an external DNS: rancher.myexample.com (this is just en example! DNS name)

I have a wildcard TLS certificate that covers *.myexample.com

How to use this TLS certificate for Rancher exposed via ingress?

Answer 1

You can add the certificate from Resources > Secrets > Certificates. Click Add Certificate.

You can check same path based on the version of the rancher you are using.

Read more at : https://rancher.com/docs/rancher/v2.5/en/k8s-in-rancher/certificates/

Option : 2

Create secret with the certificate details, and attach cert to ingress.

Setting default certificate of the Nginx ingress : https://rancher.com/docs/rke/latest/en/config-options/add-ons/ingress-controllers/#configuring-an-nginx-default-certificate

Answer 2

The only workable solution for Rancher with private custom CA certificate is described here https://rancher.com/docs/rancher/v2.5/en/installation/resources/update-ca-cert/

Solution has 3 steps:

1. Create the certificate secret resource
2. Create the CA certificate secret resource
3. Run the Rancher deployment

example script

kubectl create namespace cattle-system

kubectl -n cattle-system create secret tls tls-rancher-ingress \
  --cert=manifests/certs/tls.crt \
  --key=manifests/certs/tls.key

kubectl -n cattle-system create secret generic tls-ca \
  --from-file=manifests/certs/ca.crt

helm install rancher rancher-latest/rancher \
  --namespace cattle-system \
  --set hostname="rancher.$DOMAIN" \
  --set ingress.tls.source=secret \
  --set replicas=3

This works as well for an existing cluster, but secrets must be updated and helm deployment must be updated.