https://rancher.com/ logo
Title
f

fierce-accountant-13638

01/09/2023, 4:21 PM
Hello 👋 I recently updated my k3s installation and my TLS certificates are no longer being signed by my root CA. I injected my certificates based on the instructions here: https://github.com/k3s-io/k3s/issues/1868#issuecomment-639690634 Did the certificate handling change? Is there a better documented way to use my private root CA to sign the CAs used by k3s? My goal is to be able to validate the certs when pushing changes with kubectl.
c

creamy-pencil-82913

01/09/2023, 4:30 PM
that isn’t technically supported. If you self-sign your own certs then you need to be sure that they don’t get within 90 days of expiring, or K3s will renew them using its managed CA certs.
We don’t currently have any option to tell K3s not to manage the certificates. If it needs a new cert, or needs to renew a cert, it will generate one.
we haven’t changed anything in that space so I suspect they just came up for renewal and K3s took care of them.
What we will eventually support is using K3s cluster CAs that are signed by an external CA. That should come soon-ish.
😛artyparrot: 1
f

fierce-accountant-13638

01/09/2023, 4:34 PM
Would that be using ACME requests?
Or something similar?
I just have the keys locally and am using the
tls
Terraform provider to create the certs. I'll admit I have a strange setup 😅
c

creamy-pencil-82913

01/09/2023, 4:37 PM
no, just by signing the cluster CA with an external cert. ACME support would be cool but there’s a lot of overhead associated with that. We just do it all locally using the CA cert+keys
f

fierce-accountant-13638

01/09/2023, 4:40 PM
OK cool. I was guessing on ACME. If there's a list of where to put the generated certs, that's actually easier for me.
That documentation looks great! I'll take a look in a little bit and see if that works for me. Thank you!
I see what you mean by eventually. Is there mailing list or something where I would see this feature? I'd love to see updates about k3s (and longhorn and rancher desktop)
c

creamy-pencil-82913

01/09/2023, 5:07 PM
just github
the PR is at https://github.com/k3s-io/k3s/pull/6615, you can hit the subscribe button there to get notifications from GH when it is updated.
f

fierce-accountant-13638

01/09/2023, 5:09 PM
Nice! Subscribed.
Could I bother you with another mostly unrelated question?
c

creamy-pencil-82913

01/09/2023, 5:17 PM
sure
f

fierce-accountant-13638

01/09/2023, 5:23 PM
Is there a way to replace the Traefik default certificate using only Kubernetes manifests?
I've tried setting up a TLSStore and I have it working for one service, but I'd like to override the cert for the default error handlers that print 404 Not Found or 503 Service Unavailable
I haven't been able to get the TLSStore working for those endpoints
c

creamy-pencil-82913

01/09/2023, 5:36 PM
I think you can point it at a tlsstore for the default with a CLI flag? I’m not sure tbh, I’m not a Traefik expert
f

fierce-accountant-13638

01/09/2023, 6:49 PM
I figured it out, the TLSStore needed to be in the
default
namespace. I must have looked at this documentation at least three times before seeing the Kubernetes tab: https://doc.traefik.io/traefik/https/tls/#default-certificate
c

creamy-pencil-82913

01/09/2023, 7:05 PM
yeah the docs can be a little hard to parse at times