This message was deleted Rancher Users #general

Join Slack

This message was deleted.

# general

adamant-kite-43734

08/25/2024, 9:25 AM

This message was deleted.

hundreds-evening-84071

08/26/2024, 2:36 PM

File names must be tls.crt and tls.key if you use any other file names (like mycert.crt and mykey.key) it will not work...

hundreds-evening-84071

08/26/2024, 2:39 PM

these steps have worked for me:

Copy code

cp rancher.key tls.key
cp rancher.crt tls.crt
 
helm install rancher-latest/rancher   --name rancher   --namespace cattle-system   --set hostname=<http://rancher.mydomain.org|rancher.mydomain.org>   --set ingress.tls.source=secret
 
kubectl -n cattle-system rollout status deploy/rancher

## Change directory to where your tls.key and tls.crt files are 
kubectl -n cattle-system create secret tls tls-rancher-ingress  --cert=tls.crt   --key=tls.key

hundreds-evening-84071

08/26/2024, 2:41 PM

https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/add-tls-secrets

tall-megabyte-41681

08/26/2024, 3:17 PM

Gah I was using the wrong filenames. I didn't think that matter.

👍 1

tall-megabyte-41681

08/26/2024, 3:19 PM

But I just redeployed a new secret with the correct filenames. I also then updated the ingress with

kubectl edit ingress

right? I tried a different secret name just so I know its the corrent one by name.

tall-megabyte-41681

08/26/2024, 3:20 PM

Still not serving the right certificate unfortunately

tall-megabyte-41681

08/26/2024, 3:25 PM

Does this look odd? Should the port be 443?

Copy code

spec:
  ingressClassName: traefik
  rules:
  - host: <http://rancher.k3s.dnsif.ca|rancher.k3s.dnsif.ca>
    http:
      paths:
      - backend:
          service:
            name: rancher
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - <http://rancher.k3s.dnsif.ca|rancher.k3s.dnsif.ca>
    secretName: tls-rancher-ingress5
status:
  loadBalancer:
    ingress:
    - ip: 192.168.152.134

tall-megabyte-41681

08/26/2024, 3:36 PM

certbot generates 4 files for me, which certs do I rename to tls.crt and tls.key? cert.pem chain.pem fullchain.pem privkey.pem

hundreds-evening-84071

08/26/2024, 3:45 PM

just going by file names, I am thinking cert.pem is the certificate and privkey.pem is the key... but you can check with

Copy code

openssl x509 -text < <filename>

or maybe it will tell you in cert-bot logs?

hundreds-evening-84071

08/26/2024, 3:49 PM

if you are using let's encrypt you should follow this example: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster#5-install-ra[…]icate-option

tall-megabyte-41681

08/26/2024, 3:59 PM

I was generating it manually with certbot, outside of the kubernetes cluster. The reason being that these are non-public hosts so the automated letsencrypt setup would work (I think). Would it work if my nodes are just internal VMs with no inbound web ports open? Or should I still try to get that working with another reverse proxy to allow the lets encrypt verification?

tall-megabyte-41681

08/26/2024, 4:00 PM

Ah I got it working. That was my second problem. I was using the fullchain.pem instead of the cert.pem THANK YOU SO MUCH. I've been banging my head on this for more than a week

🎉 1

hundreds-evening-84071

08/26/2024, 4:13 PM

Happy Rancher-ing 😆

💯 1

Open in Slack

Previous Next