Environment 环境2.9Situation 地理位置A self-signed default Rancher certificate is currently used and will be migrated to a stronger Let’s Encrypt ECDSA-386 certificate using the DNS-01 renewal challenge.目前使用自签名默认的牧场证书并将通过 DNS-01 续期挑战迁移到更强的 Lets Encrypt ECDSA-386 证书。Resolution 结局Before proceeding, make sure you have backups available in case a rollback is needed. Also, ensure you have read and fully understand all the steps before starting.在继续之前确保你有备份以备需要回滚时使用。此外确保你在开始前阅读并充分理解所有步骤。1 - Modify the URL in the Rancher UI1 - 修改 Rancher 界面中的 URLIf the URL changes, modify it underGlobal settings - Settings - server-url.如果 URL 发生变化请在Global settings - Settings - server-url.2 - Configures cert-manager to issue a Lets Encrypt TLS certificate using DNS-01 challenge2 - 配置证书管理器以使用 DNS-01 挑战发放 TLS 加密证书If your issuer is Cloudflare, copy this in a file,letsencrypt-cert-manager.yamlfor example, and apply it:如果你的发行方是 Cloudflare复制这个文件比如letsencrypt-cert-manager.yaml然后应用span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodeapiVersion: a>span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodekubectl apply -f letsencrypt-cert-manager.yaml/code/span/span/spanNote that if you are using other issuers, please check the cert-manager DNS-01 challenge documentation for the correct syntax.请注意如果您使用其他发行机构请查看 cert-manager DNS-01 挑战文档中的正确语法。To prevent being locked by Letsencrypt during your tests, use the acme staging environment first.为了避免在测试中被 Letsencrypt 锁定建议先使用 acme 的分阶段环境 。3 -Reconfigure Rancher3 -重新配置牧场主Export your previous Rancher helm chart configuration:导出你之前的牧场主舵盘配置span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodehelm get values rancher -n cattle-system -o yaml values.yaml/code/span/span/spanCreate a new Helm chart values file with the following settings:创建一个新的 Helm 图表值文件设置如下span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcode cat ingress_letsencrypt.yaml ingress: tls: source: secret extraAnnotations: a>Since we want to use ECDSA while the default Rancher Ingress uses RSA, we enforce private key regeneration by settingprivate-key-rotation-policytoAlways. After applying the change and once the new certificate is in place, you can remove the annotation to prevent further private key renewals (See point 8). If you choose to keep RSA as the certificate algorithm, this line is not required.由于我们想使用 ECDSA而默认的 Rancher Ingress 使用 RSA我们通过将私钥轮换策略设置为“始终”来强制私钥再生。应用变更后一旦新证书生效你可以移除注释以防止再次续签私钥见第 8 点。如果你选择保留 RSA 作为证书算法这条线就不需要。If you want to stick to your current Rancher version and dont want to update, do not forget to add the--versionoption followed by your version. Ex:--version2.10.1如果你想坚持当前的牧场主版本不想更新别忘了添加--version选项后面是你的版本。Ex--version2.10.1span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodehelm upgrade --install rancher rancher-prime/rancher --namespace cattle-system --set hostnamemy_rancher.a>4 - Check if the new certificate has indeed be issued4 - 确认新证书是否确实已签发Use the following commands to check the renewal status:请使用以下命令检查续订状态span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodekubectl get certificate,certificaterequest,order -n cattle-system/code/span/span/spanspan stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodekubectl events -n cattle-system/code/span/span/spanOnce the Rancher pod deployments have been rolled out, you should be able to log in to Rancher and verify the HTTPS certificate.一旦 Rancher Pod 部署完成你应该能登录 Rancher 并验证 HTTPS 证书。5 - Reconfigure Rancher agents to trust the private CA5 - 重新配置牧场代理以信任私有 CAAs explained in Updating the Rancher certificate, 3 methods exist to force the Rancher agent to trust the CA. Method 3 can be used as a fallback if method 1 and 2 are not possible.如《 更新牧场主证书 》中所述有三种方法可以强制牧场主代理信任 CA。如果方法 1 和 2 不可行方法 3 可以作为备选方案。Method 1: Force a redeploy of the Rancher agent方法一 强制重新部署牧场主代理Method 2: Manually update the checksum environment variable方法 2 手动更新校验和环境变量Method 3: Manually redeploy the Rancher agent方法三 手动重新部署牧场主代理6 - Force Update Fleet clusters to reconnect the fleet-agent to Rancher6 - 强制更新舰队集群重新连接舰队代理与牧场主As explained in Updating the Rancher certificate, you have to selectForce Updatefor the clusters within theContinuous Deliveryview of the Rancher UI to allow the fleet-agent in downstream clusters to successfully connect to Rancher.正如在更新牧场证书中所述你需要在牧场主界面的持续交付视图中选择集群强制更新才能让下游集群中的车队代理成功连接到牧场者。7 - Remove private-key-rotation-policy annotation in ingress7 - 在入口中移除私钥-轮换-策略注释You can now remove the annotation set in point 4 to prevent the renewal of the private key:你现在可以移除第4点的注释以防止私钥的更新On the fly: 即兴span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodekubectl -n cattle-system annotate ingress rancher a>Permanently: Reapply the Rancher Helm chart removing theprivate-key-rotation-policyline iningress_letsencrypt.yaml永久重新应用牧场主 Helm 图表移除ingress_letsencrypt.yaml中的私钥轮换策略行span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcode cat ingress_letsencrypt.yaml ingress: tls: source: secret extraAnnotations: a>span stylecolor:#000000span stylebackground-color:#ffffffspan stylebackground-color:#efefefcodehelm upgrade --install rancher rancher-prime/rancher --namespace cattle-system --set hostnamemy_rancher.a>