hello I have just run to an issue and would like to get your Rancher Users #general

hello, I have just run to an issue and would like ...

adventurous-winter-71224

03/07/2025, 12:45 PM

hello, I have just run to an issue and would like to get your opinions of possible solutions. Seems that my tls-rancher-ingress cert has expired as shown on following screen, What is recommended way of cert renewal in this situation? Unfortunatelly I cannot issue any

helm

commands on host as it gives me info Error: UPGRADE FAILED: Kubernetes cluster unreachable: the server has asked for the client to provide credentials` which I believe is related to the outdated cert.

hundreds-evening-84071

03/07/2025, 12:52 PM

can you run kubectl on the cluster?

hundreds-evening-84071

03/07/2025, 12:53 PM

If so, this is how I replace

tls-rancher-ingress

Copy code

kubectl -n cattle-system delete secret tls-rancher-ingress

kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key

adventurous-winter-71224

03/07/2025, 12:56 PM

I can run kubectl so thanks for pointing that out but as far as I rember I have installed rancher using

ingress.tls.source=letsEncrypt

switch so in that case are`--cert=tls.crt --key=tls.key` switches from Your suggestion still valid?

adventurous-winter-71224

03/07/2025, 12:58 PM

I have also found https://ranchermanager.docs.rancher.com/troubleshooting/other-troubleshooting-tips/expired-webhook-certificate-rotation#1-users-with[…]wing-commands - maybe that’s the way I should follow?

hundreds-evening-84071

03/07/2025, 1:17 PM

Probably not... I do not use lets encrypt

hundreds-evening-84071

03/07/2025, 1:18 PM

but as per this doc: https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster#3-choose-you[…]onfiguration for lets encrypt, cert-manager is required. So, I would start with looking at pod logs of cert-manager to determine why the certificate did not renew on its own

adventurous-winter-71224

03/07/2025, 1:33 PM

Indeed, I do use cert-manager and seems that

cert-manager-webhook

does not have min availability due to:

Failed to generate serving certificate, retrying..." err="internal error: CA certificate has expired, try again later

- any ideas how this CA can be renewed?

stocky-fall-82040

03/07/2025, 3:33 PM

you might be able to delete content out of the cert-manager namespace and then re-rollout the cert-manager deployment?

Copy code

# del
kubectl delete secret -n cert-manager <secret-name>
kubectl delete certificate -n cert-manager <your-cert-name>
kubectl delete order -n cert-manager --all
kubectl delete challenge -n cert-manager --all
kubectl delete pod -n cert-manager --all

# rollout
kubectl rollout restart deployment -n cert-manager

adventurous-winter-71224

03/07/2025, 6:55 PM

will try to do that later on and will post results, thanks for directions and feedback 😄

adventurous-winter-71224

03/07/2025, 9:39 PM

@stocky-fall-82040 thanks!!! Yours solution worked like a charm 😄

👍 1

14 Views

Open in Slack

Previous Next