Steps to change the URL of Rancher installation and switch from a self-signed certificate to a certificate signed by recognized CA.
-
Change the Rancher
server-url
setting to the new URL:- Navigate to
https://<old_rancher_hostname>/g/settings/advanced
- Edit
server-url
tohttps://<new_rancher_hostname>
- Navigate to
-
Clear the private CA certificate for the old certificate
- Navigate to
https://<old_rancher_hostname>/g/settings/advanced
- Next to
cacerts
click context menu -> View in API - Click Edit
- Clear the content of the
value
field - Click Show Request then Send Request
- Navigate to
-
Trigger a re-deployment of the cluster-agent and node-agent for each cluster:
- Configure
kubectl
to point at the RKE cluster where Rancher server is running - Note down the IDs of the managed clusters:
$ kubectl get clusters
- For each cluster (including
local
) run:
$ kubectl patch cluster <CLUSTER_ID> -p '{"status":{"agentImage":"dummy"}}' --type merge
- Configure
-
Note that this will disconnect all clusters from Rancher until the installation is upgraded with the new hostname / ingress configuration.
-
Update the certificate for Rancher from private to public signed one:
- Delete the old certificate/key pair secret, ie.
$ kubectl -n cattle-system delete secret tls-rancher-ingress
- Add the new certificate/key pair secret (https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/tls-secrets/).
- Remove the private CA certificate,
$ kubectl -n cattle-system delete secret tls-ca
- Delete the old certificate/key pair secret, ie.
-
Upgrade Rancher installation using the
helm upgrade
command following the steps here: https://rancher.com/docs/rancher/v2.x/en/upgrades/upgrades/ha-server-upgrade-helm/#upgrade-rancher- Specify the currently installed Rancher version to prevent software upgrade
- Pass all the values (
--set
) that were originally specified during installation - Pass the new Rancher hostname in the
hostname
variable - Ensure you specify
--set privateCA=false
to clear out the old private CA certificate
Example:
helm upgrade rancher rancher-stable/rancher --version v2.1.6 \ --set hostname=rancher-new.example.com \ --set ingress.tls.source=secret \ --set privateCA=false \ --set ...other...options
Yes, works quite good, ranchers self-healing capabilities are awesome. To change the URL on agents simply edit their address in the api and redeploy them inplace. (for custom agents on dedicated machines) Then roll all certificates and redeploy all services.