rancher: certificate rotate doesnt work on older rancher created clusters

What kind of request is this (question/bug/enhancement/feature request): bug

Steps to reproduce (least amount of steps as possible): have a cluster with expired certs, created with an older version of rancher 2.x (2.0.7) run cert rotate from the ui.

Result: errors ensue

workaround:

#backup /etc/kubernetes
tar cvjf ~/k8s_config.tar.bz2 /etc/kubernetes

#create a cluster.yml file copy it to cluster-state.yml under the /etc/kubernetes/.tmp folder

#create missing certs
cd /opt/rke/etc/kubernetes/.tmp or /etc/kubernetes/.tmp
cp kube-ca.pem kube-apiserver-requestheader-ca.pem
cp kube-ca-key.pem kube-apiserver-requestheader-ca-key.pem
cp kube-apiserver.pem kube-apiserver-proxy-client.pem 
cp kube-apiserver-key.pem kube-apiserver-proxy-client-key.pem 


#need to use rancher v2.2.3+
execute rotate certs from UI for this cluster.

thanks to @galal-hussein for developing the workaround 😄

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 2
  • Comments: 17 (8 by maintainers)

Most upvoted comments

I still have this error. Single rancher node, single k8s node. If I click to the rotate nothing happens, the k8s node has the .tmp dir, has all the keys, but the dates on the files not updating so I think even the rotate message is “lost”. I think I need to somehow update one or more containers on the k8s instance too…

(I have all the files, only the cluster-state.yml is missing bcs I have no idea where I can find the original, or how I can write a new one.)

Probably a documentation about the error and about how these things are connected would let more ppl to try and fix it by hand, when the “automatic” methods are failing. (I think yesterday I read most of the documentation and issues about this topic, but I have no idea where should I go next to learn more and finally fix my “cluster”.)

@spawnia you can copy the entier ssl certificate to .tmp:

cp -r /etc/kubernetes/ssl /etc/kubernetes/.tmp

and then trigger another certificate rotation, this should be enough to fetch the old certs and proceed the rotation normally