Install Rancher 2.0 HA by using self signed certificates (+ intermediate) and Layer 4 Loadbalancer (TCP)

Install Rancher 2.0 HA by using self signed certificates (+ intermediate) and Layer 4 Loadbalancer (TCP)

Warning: the RKE install method is only supported up to v2.0.8!

This gist describes how to setup Rancher 2 HA, by using self signed certificates (with intermediate) and a Layer 4 Loadbalancer (TCP)



Variables used in this guide:

  • FQDN:
  • Node 1 IP:
  • Node 2 IP:
  • Node 3 IP:

Create self signed certificates

This script is based on, which creates a Root CA, Intermediate CA and Certificate.

Run this script and follow the instructions, you need to fill in:

  • Common Name for the Root CA (Yourcompany Root CA for example)
  • Common Name for the Intermediate (Yourcompany Intermediate CA for example)
  • Use your FQDN as Common Name for the certificate (

Copy the contents below or download via


# Root pair
mkdir /root/ca
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

wget -O /root/ca/openssl.cnf

echo "##########"
echo "CREATE root key"
echo "##########"
openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem

echo "##########"
echo "CREATE root certificate"
echo "Fill in the Common Name!"
echo "##########"
openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem

# Intermediate
mkdir /root/ca/intermediate
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > /root/ca/intermediate/crlnumber

wget -O /root/ca/intermediate/openssl.cnf
echo "##########"
echo "KEY intermediate"
echo "##########"
cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096
chmod 400 intermediate/private/intermediate.key.pem

echo "##########"
echo "CSR intermediate"
echo "Fill in the Common Name!"
echo "##########"
openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem

echo "##########"
echo "SIGN intermediate"
echo "##########"
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem

cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

echo "##########"
echo "KEY certificate"
echo "##########"
openssl genrsa -aes256 \
      -out intermediate/private/ 2048
chmod 400 intermediate/private/

echo "##########"
echo "CSR certificate"
echo "Use as Common Name"
echo "##########"
openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/ \
      -new -sha256 -out intermediate/csr/
echo "##########"
echo "SIGN certificate"
echo "##########"
openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/ \
      -out intermediate/certs/
chmod 444 intermediate/certs/

echo "##########"
echo "Create files to be used for Rancher"
echo "##########"
mkdir -p /root/ca/rancher/base64
cp /root/ca/certs/ca.cert.pem /root/ca/rancher/cacerts.pem
cat /root/ca/intermediate/certs/ /root/ca/intermediate/certs/intermediate.cert.pem > /root/ca/rancher/cert.pem
echo "##########"
echo "Removing passphrase from Rancher certificate key"
echo "##########"
openssl rsa -in /root/ca/intermediate/private/ -out /root/ca/rancher/key.pem
cat /root/ca/rancher/cacerts.pem | base64 -w0 > /root/ca/rancher/base64/cacerts.base64
cat /root/ca/rancher/cert.pem | base64 -w0 > /root/ca/rancher/base64/cert.base64
cat /root/ca/rancher/key.pem | base64 -w0 > /root/ca/rancher/base64/key.base64

echo "##########"
echo "Verify certificates"
echo "##########"
openssl verify -CAfile certs/ca.cert.pem \
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \

The script should end the following, indicating everything is OK.

Verify certificates
intermediate/certs/intermediate.cert.pem: OK
intermediate/certs/ OK

Configure the RKE template

This guide is based on the 3-node-certificate.yml template, which is used for self signed certificates and using a Layer 4 Loadbalancer (TCP).

Download the template

wget -O /root/3-node-certificate.yml

Edit the values (FQDN, BASE64_CRT, BASE64_KEY, BASE64_CA)

This command will replace the values, you only have to edit below to match your FQDN.

  • Change to your FQDN
sed -i -e "s/<FQDN>/" -e "s/<BASE64_CRT>/$(cat /root/ca/rancher/base64/cert.base64)/" -e "s/<BASE64_KEY>/$(cat /root/ca/rancher/base64/key.base64)/" -e "s/<BASE64_CA>/$(cat /root/ca/rancher/base64/cacerts.base64)/" /root/3-node-certificate.yml

Validate that the FQDN is replaced correctly:

cat 3-node-certificate.yml | grep

Configure nodes

On top of the 3-node-certificate.yml file, configure your nodes that will be used for the cluster.


  - address: # hostname or IP to access nodes
    user: root
    role: [controlplane,etcd,worker] # K8s roles for node
    ssh_key_path: ~/.ssh/id_rsa # path to PEM file
  - address:
    user: root
    role: [controlplane,etcd,worker]
    ssh_key_path: ~/.ssh/id_rsa # path to PEM file
  - address:
    user: root
    role: [controlplane,etcd,worker]
    ssh_key_path: ~/.ssh/id_rsa # path to PEM file

Run RKE to setup the cluster

Run RKE to setup the cluster

./rke_linux-amd64 up --config 3-node-certificate.yml

Which should finish with the following to indicate that it is successfull:

INFO[0XXX] Finished building Kubernetes cluster successfully

Validate cluster


All nodes should be in Ready status (it can take a few minutes before they get Ready)

kubectl --kubeconfig kube_config_3-node-certificate.yml get nodes
NAME              STATUS    ROLES                      AGE       VERSION       Ready     controlplane,etcd,worker   1m        v1.10.5       Ready     controlplane,etcd,worker   1m        v1.10.5       Ready     controlplane,etcd,worker   1m        v1.10.5


All pods must be in Running status, and names containing job should be in Completed status.

kubectl --kubeconfig kube_config_3-node-certificate.yml get pods --all-namespaces
NAMESPACE       NAME                                      READY     STATUS      RESTARTS   AGE
cattle-system   cattle-859b6cdc6b-qzs2z                   1/1       Running     0          3m
ingress-nginx   default-http-backend-564b9b6c5b-rqcvk     1/1       Running     0          4m
ingress-nginx   nginx-ingress-controller-4vmf7            1/1       Running     0          4m
ingress-nginx   nginx-ingress-controller-ftm6c            1/1       Running     0          4m
ingress-nginx   nginx-ingress-controller-vs44t            1/1       Running     0          4m
kube-system     canal-b9gvb                               3/3       Running     0          4m
kube-system     canal-h8wcb                               3/3       Running     0          4m
kube-system     canal-n6qtt                               3/3       Running     0          4m
kube-system     kube-dns-5ccb66df65-zjbrt                 3/3       Running     0          4m
kube-system     kube-dns-autoscaler-6c4b786f5-7q657       1/1       Running     0          4m
kube-system     rke-ingress-controller-deploy-job-d64ch   0/1       Completed   0          4m
kube-system     rke-kubedns-addon-deploy-job-hbz44        0/1       Completed   0          4m
kube-system     rke-network-plugin-deploy-job-g5wtq       0/1       Completed   0          4m
kube-system     rke-user-addon-deploy-job-9c5j5           0/1       Completed   0          4m

Ingress created

The created Ingress should match your FQDN

kubectl --kubeconfig kube_config_3-node-certificate.yml get ingress -n cattle-system

Overlay network

To test the overlay network:

Save this file as ds-alpine.yml:

apiVersion: apps/v1
kind: DaemonSet
  name: alpine
        name: alpine
        name: alpine
      - effect: NoExecute
        key: ""
        value: "true"
      - effect: NoSchedule
        key: ""
        value: "true"
      - image: alpine
        imagePullPolicy: Always
        name: alpine
        command: ["sh", "-c", "tail -f /dev/null"]
        terminationMessagePath: /dev/termination-log

Run the following command:

kubectl --kubeconfig kube_config_3-node-certificate.yml create -f ds-alpine.yml
kubectl --kubeconfig kube_config_3-node-certificate.yml rollout status ds/alpine -w

Wait until it returns: daemon set "alpine" successfully rolled out.

Then execute the following command to test network connectivity:

echo "=> Start"; kubectl --kubeconfig kube_config_3-node-certificate.yml get pods -l name=alpine -o jsonpath='{range .items[*]}{}{" "}{@.spec.nodeName}{"\n"}{end}' | while read spod shost; do kubectl --kubeconfig kube_config_3-node-certificate.yml get pods -l name=alpine -o jsonpath='{range .items[*]}{@.status.podIP}{" "}{@.spec.nodeName}{"\n"}{end}' | while read tip thost; do kubectl --kubeconfig kube_config_3-node-certificate.yml --request-timeout='10s' exec $spod -- /bin/sh -c "ping -c2 $tip > /dev/null 2>&1"; RC=$?; if [ $RC -ne 0 ]; then echo $shost cannot reach $thost; fi; done; done; echo "=> End"

Which should result in the following, indicating it is working as expected:

=> Start
=> End

Validate Rancher

Run the following to validate the accessibility to Rancher:

Validate certificates

To validate the certificates:

openssl s_client -CAfile /root/ca/rancher/cacerts.pem -connect -servername

This should result in the following, indicating the chain is correct. You can repeat this for the other hosts ( and

    Start Time: 1531422707
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Validate connection

Use the following command to see if you can reach the Rancher server:

curl --cacert /root/ca/rancher/cacerts.pem --resolve

Response should be pong.

Set up loadbalancer

If this is all functioning correctly, you can put a load balancer in front. See for an NGINX example:

