rancher CA证书如何更新啊

最近在测试rancher 2.5.9的相关功能应用,默认CA证书是10年,请问10年后如何更新证书呢?

/uploads/question/20211229/7747bd3abfaeb033fc536f2146dad8cd.png


已邀请:

十年以后的事,现在就这么着急啊

担心CA,你自己签一个CA证书不就好了,不用非要依赖Rancher自动签发的CA。

虽然你使用了自签名证书签了100年,但Rancher Server内部的K3s集群的CA证书有效期依然是 10年,也就是说你修改到了10年后的时间点,Rancher的证书没问题,但K3s的证书已经过期了,也就是你上面截图中的那些证书。


所以只要我们能解决K3s CA证书的过期时间就OK了。


我做了以下测试:



  1. 自签名证书,CA:500年,SSL: 100年


    docker run -v $PWD/certs:/certs \


            -e CA_SUBJECT="My own root CA" \
    -e CA_EXPIRE="182500" \
    -e SSL_EXPIRE="36500" \
    -e SSL_SUBJECT="rancher.yourdomain.com" \
    -e SSL_DNS="rancher31.kingsd.top.com" \
    -e SILENT="true" \
    superseb/omgwtfssl`
    1. 使用自签名证书启动Rancher


      `docker run -d --restart=unless-stopped \
      -p 80:80 -p 443:443 \
      -v $PWD/certs/cert.pem:/etc/rancher/ssl/cert.pem \
      -v $PWD/certs/key.pem:/etc/rancher/ssl/key.pem \
      -v $PWD/certs/ca.pem:/etc/rancher/ssl/cacerts.pem \
      --privileged \
      rancher/rancher:v2.5.11`

    2. 查看Rancher Server 内的K3s证书有效期


      `root@621558d98585:/var/lib/rancher# for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
      /var/lib/rancher/k3s/server/tls/client-admin.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/client-auth-proxy.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/client-ca.crt
      notAfter=Dec 29 05:08:47 2031 GMT
      /var/lib/rancher/k3s/server/tls/client-cloud-controller.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/client-controller.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/client-k3s-controller.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/client-kube-proxy.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/client-scheduler.crt
      notAfter=Dec 31 05:08:47 2022 GMT
      /var/lib/rancher/k3s/server/tls/request-header-ca.crt
      notAfter=Dec 29 05:08:47 2031 GMT
      /var/lib/rancher/k3s/server/tls/server-ca.crt
      notAfter=Dec 29 05:08:47 2031 GMT
      /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt`

    3. 修改Rancher Server主机的系统时间为 20年后


      `# timedatectl set-ntp no
      # date -s 20411231
      # date
      Tue Dec 31 00:00:03 CST 2041`


      5. 此时,由于K3s证书过期,UI无法访问,日志:


      `raft2041/12/30 16:00:24 INFO: 8e9e05c52164694d is starting a new election at term 2
      raft2041/12/30 16:00:24 INFO: 8e9e05c52164694d became candidate at term 3
      raft2041/12/30 16:00:24 INFO: 8e9e05c52164694d received MsgVoteResp from 8e9e05c52164694d at term 3
      raft2041/12/30 16:00:24 INFO: 8e9e05c52164694d became leader at term 3
      raft2041/12/30 16:00:24 INFO: raft.node: 8e9e05c52164694d elected leader 8e9e05c52164694d at term 3
      2041-12-30 16:00:24.273950 I | etcdserver: published {Name:default ClientURLs:[http://localhost:2379]} to cluster cdf818194e3a8c32
      2041-12-30 16:00:24.274455 I | embed: ready to serve client requests
      2041-12-30 16:00:24.276001 N | embed: serving insecure client requests on 127.0.0.1:2379, this is strongly discouraged!
      2041/12/30 16:00:24 [INFO] Waiting for server to become available: Get "https://127.0.0.1:6443/version?timeout=15m0s": dial tcp 127.0.0.1 connect: connection refused
      2041/12/30 16:00:26 [INFO] Waiting for server to become available: Get "https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate has expired or is not yet valid: current time 2041-12-30T16:00:26Z is after 2022-12-31T05:08:47Z
      2041/12/30 16:00:28 [INFO] Waiting for server to become available: Get "https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate has expired or is not yet valid: current time 2041-12-30T16:00:28Z is after 2022-12-31T05:08:47Z
      2041/12/30 16:00:30 [INFO] Waiting for server to become available: Get "https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate has expired or is not yet valid: current time 2041-12-30T16:00:30Z is after 2022-12-31T05:08:47Z
      2041/12/30 16:00:32 [INFO] Waiting for server to become available: Get "https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate has expired or is not yet valid: current time 2041-12-30T16:00:32Z is after 2022-12-31T05:08:47Z
      2041/12/30 16:00:34 [INFO] Waiting for server t`
    4. 手动轮换K3s CA证书


      exec到 容器内,执行:


      `rm -rf /var/lib/rancher/k3s/server/tls/*.crt 
      rm -f /var/lib/rancher/k3s/server/tls/dynamic-cert.json`

    5. 重启Rancher Server,注意:需要重启两次,第一次用于申请证书,第二次用于加载证书并启动


      结果:


      这时候,Rancaher Server顺利启动,并且可以通过UI继续访问Rancher Server.


      再次确认K3s 证书过期时间:

      root@acbd602871f9:/var/lib/rancher# for i inls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
      /var/lib/rancher/k3s/server/tls/client-admin.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/client-auth-proxy.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/client-ca.crt
      notAfter=Dec 28 16:01:22 2051 GMT
      /var/lib/rancher/k3s/server/tls/client-cloud-controller.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/client-controller.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/client-k3s-controller.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/client-kube-proxy.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/client-scheduler.crt
      notAfter=Dec 30 16:01:22 2042 GMT
      /var/lib/rancher/k3s/server/tls/request-header-ca.crt
      notAfter=Dec 28 16:01:22 2051 GMT
      /var/lib/rancher/k3s/server/tls/server-ca.crt
      notAfter=Dec 28 16:01:22 2051 GMT
      /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
      notAfter=Dec 30 16:01:22 2042 GMT

rancher证书已经更新

/uploads/answer/20220101/0ae23480b0e1b5ca15373f694675ffb1.png

但是k8s集群证书kube-ca不能够更新,kube-ca证书默认是10年的,这个有什么方法可以延长吗

/uploads/answer/20220101/fb68bd7fedcf63ddffd7a45fbcf5d747.png


要回复问题请先登录注册