Skip to content

Instantly share code, notes, and snippets.

@superseb

superseb/intermediate-ecdsa-certificate-rancher.md

Created October 26, 2020 15:59
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save superseb/610800c387c1d099fa86020fbcf908d9 to your computer and use it in GitHub Desktop.
Save superseb/610800c387c1d099fa86020fbcf908d9 to your computer and use it in GitHub Desktop.
Download ZIP
Generate ECDSA CA, intermediate CA and server certificate with DNS alt names using Terraform in Docker and launch Rancher
Raw
intermediate-ecdsa-certificate-rancher.md

Generate ECDSA CA, intermediate CA and server certificate with DNS alt names using Terraform in Docker and launch Rancher

Generate ECDSA CA, intermediate CA and server certificate

docker run --rm -v $PWD/testcerts:/tmp/certs/files -e TF_VAR_ip_addresses='["127.0.0.1"]' -e TF_VAR_dns_names='["yolo.seb.local"]' superseb/intermediate-ecdsa

Run Rancher

Run Rancher container with mounted certificates

docker run -d --privileged -p 80:80 -p 443:443 --restart=unless-stopped -v $PWD/testcerts/server.fullchain.crt:/etc/rancher/ssl/cert.pem -v $PWD/testcerts/server.key:/etc/rancher/ssl/key.pem -v $PWD/testcerts/root_ca.crt:/etc/rancher/ssl/cacerts.pem rancher/rancher

Test certificates using the CA root

docker run --rm -v $PWD/testcerts:/certs --net host appropriate/curl -v --cacert /certs/root_ca.crt https://127.0.0.1

Test Rancher with broken certificate (missing intermediate)

Run Rancher container with mounted certificates (server.crt instead of server.fullchain.crt)

docker run -d --privileged -p 80:80 -p 443:443 --restart=unless-stopped -v $PWD/testcerts/server.crt:/etc/rancher/ssl/cert.pem -v $PWD/testcerts/server.key:/etc/rancher/ssl/key.pem -v $PWD/testcerts/root_ca.crt:/etc/rancher/ssl/cacerts.pem rancher/rancher

Test certificates using the CA root

docker run --rm -v $PWD/testcerts:/certs --net host appropriate/curl -v --cacert /certs/root_ca.crt https://127.0.0.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment