Change the hostname/URL and certificate of an existing Rancher installation

rancher-url-change.md

Steps to change the URL of Rancher installation and switch from a self-signed certificate to a certificate signed by recognized CA.

1. Change the Rancher server-url setting to the new URL:

   • Navigate to https://<old_rancher_hostname>/g/settings/advanced
   • Edit server-url to https://<new_rancher_hostname>

2. Clear the private CA certificate for the old certificate

   • Navigate to https://<old_rancher_hostname>/g/settings/advanced
   • Next to cacerts click context menu -> View in API
   • Click Edit
   • Clear the content of the value field
   • Click Show Request then Send Request

3. Trigger a re-deployment of the cluster-agent and node-agent for each cluster:

   • Configure kubectl to point at the RKE cluster where Rancher server is running
   • Note down the IDs of the managed clusters: $ kubectl get clusters
   • For each cluster (including local) run:

   $ kubectl patch cluster <CLUSTER_ID> -p '{"status":{"agentImage":"dummy"}}' --type merge
   

4. Note that this will disconnect all clusters from Rancher until the installation is upgraded with the new hostname / ingress configuration.

5. Update the certificate for Rancher from private to public signed one:

   • Delete the old certificate/key pair secret, ie. $ kubectl -n cattle-system delete secret tls-rancher-ingress
   • Add the new certificate/key pair secret (https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/tls-secrets/).
   • Remove the private CA certificate, $ kubectl -n cattle-system delete secret tls-ca

6. Upgrade Rancher installation using the helm upgrade command following the steps here: https://rancher.com/docs/rancher/v2.x/en/upgrades/upgrades/ha-server-upgrade-helm/#upgrade-rancher

   • Specify the currently installed Rancher version to prevent software upgrade
   • Pass all the values (--set) that were originally specified during installation
   • Pass the new Rancher hostname in the hostname variable
   • Ensure you specify --set privateCA=false to clear out the old private CA certificate

   Example:

   helm upgrade rancher rancher-stable/rancher --version v2.1.6 \
   --set hostname=rancher-new.example.com \
   --set ingress.tls.source=secret \
   --set privateCA=false \
   --set ...other...options
   

Thanks for sharing this @Nilegfx it works as expected

JFI the comment from @Nilegfx is correct, but right now it misses the update of the node's system agent.
The system agents need to be updated with the registration command. That command can be taken from Rancher UI: Cluster Management > > Registration and re-run on each node, modifying the correct role based on the node is run.