Using Private/custom CA signed certificate for all API communication.

[gauravkarki]

I am using rke2 v1.20.7. I am using my own private CA signed certificate for Rancher "https://rancher.com/docs/rancher/v2.6/en/installation/resources/tls-secrets/".

However all other API communication between api-server and rest of the components are using the self-signed certificate generated by rke2 itself.

Sample Vulnerability Scan output

TLS/SSL certificate is self-signed.
TLS/SSL certificate signed by unknown, untrusted CA: CN=Kubernetes Ingress Controller Fake Certificate, O=Acme Co -- [Path does not chain with any of the trust anchors].

I believe all the certificate are stored in

• /var/lib/rancher/rke2/server/tls/ for server node
• /var/lib/rancher/rke2/agent/ for agent node

Going through the rke2 installation and "Advanced Options and Configuration" section under https://docs.rke2.io/, I did not find any information.

Question.
Is there anyway to use custom/private CA cert for all API communication?

[brandond]

TLS/SSL certificate signed by unknown, untrusted CA: CN=Kubernetes Ingress Controller Fake Certificate, O=Acme Co

The cert you're seeing here is (as it says) the certificate created by the ingress controller if you don't provide your own ingress cert. Are you trying to change this, or the cluster CA certificates?

[gauravkarki]

Sorry, I didnot copied the last line of /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml

#cat /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    default-ssl-certificate: "kube-system/ingress-nginx-tls"
~         

Where ingress-nginx-tls is my private tls cert

# kubectl -n kube-system describe secrets ingress-nginx-tls
Name:         ingress-nginx-tls
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  2094 bytes
tls.key:  1704 bytes

Right now when I see its using the fake cert. I would like to see my private cert.

# curl --verbose -k https://10.165.5.173:443
* Server certificate:
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Sep  7 18:27:38 2021 GMT
*  expire date: Sep  7 18:27:38 2022 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

[brandond]

default-ssl-certificate does not appear to be a recognized configuration key; I don't see it in values.yaml. Did you want to add it to the controller's extraArgs?

https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml#L154-L158

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      extraArgs:
        default-ssl-certificate: "kube-system/ingress-nginx-tls"

[gauravkarki]

Brandond,
Thank you very much for your help. Your suggestion (creating below file) resolved my issue.

# cat /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      extraArgs:
        default-ssl-certificate: "kube-system/ingress-nginx-tls"

Regarding my another question on changing the cluster CA certificates:

• is it advisable to change it to private/custom TLS?
• is there any documentation that explains how to change it?

I guess there is a risk of cluster not working if we change it to private/custom CA certificate when it expires. if we let the default then RKE rotates the certificate before it expires.

[brandond]

We don't have documented instructions for user-provided cluster CA certificates. There are some fairly simple steps to do it using openssl in issues if you search around a bit. Signing all the cluster certs with an external CA is not currently supported.

[gauravkarki]

Thanks Brad for your help and information.