Rancher 手動更新 cert-manager 簽署的憑證

# Rancher 手動更新 cert-manager 簽署的憑證 ## 在 Upstream Cluster 執行以下指令 ## 安裝 cmctl ``` $ curl -fsSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.12.17/cmctl-linux-amd64.tar.gz && tar xzf cmctl.tar.gz && sudo mv cmctl /usr/local/bin ``` ## 手動更新 * 檢查當前憑證有效日期 ``` $ echo | openssl s_client -connect `kubectl -n cattle-system get ing --no-headers -o custom-columns=HOSTS:.spec.rules[*].host`:443 2>/dev/null | openssl x509 -noout -dates notBefore=Jan 19 05:07:01 2023 GMT notAfter=Apr 19 05:07:01 2023 GMT ``` ``` $ kubectl get certificate -n cattle-system NAME READY SECRET AGE tls-rancher-ingress True tls-rancher-ingress 187d ``` * 更新憑證 ``` $ cmctl -n cattle-system renew tls-rancher-ingress Manually triggered issuance of Certificate cattle-system/tls-rancher-ingress ``` * 確認憑證已更新為現在日期 ``` $ echo | openssl s_client -connect `kubectl -n cattle-system get ing --no-headers -o custom-columns=HOSTS:.spec.rules[*].host`:443 2>/dev/null | openssl x509 -noout -dates notBefore=Feb 19 05:35:25 2024 GMT notAfter=May 19 05:35:25 2024 GMT ``` * 檢查憑證狀態 ``` $ cmctl status certificate tls-rancher-ingress -n cattle-system Name: tls-rancher-ingress Namespace: cattle-system Created at: 2023-08-16T09:56:13+08:00 Conditions: Ready: True, Reason: Ready, Message: Certificate is up to date and has not expired DNS Names: - bigred.cooloo9871.com Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Requested 29m cert-manager-certificates-request-manager Created new CertificateRequest resource "tls-rancher-ingress-fhwfb" Normal Reused 44s (x4 over 86m) cert-manager-certificates-key-manager Reusing private key stored in existing Secret resource "tls-rancher-ingress" Normal Requested 44s cert-manager-certificates-request-manager Created new CertificateRequest resource "tls-rancher-ingress-2xh9m" Normal Issuing 43s (x4 over 86m) cert-manager-certificates-issuing The certificate has been successfully issued Issuer: Name: rancher Kind: Issuer Conditions: Ready: True, Reason: KeyPairVerified, Message: Signing CA verified Events: <none> Secret: Name: tls-rancher-ingress Issuer Country: Issuer Organisation: dynamiclistener-org Issuer Common Name: dynamiclistener-ca@1692151175 Key Usage: Digital Signature, Key Encipherment Extended Key Usages: Public Key Algorithm: RSA Signature Algorithm: ECDSA-SHA256 Subject Key ID: Authority Key ID: 6d2be67c354797948b427461b2a117933ae4a229 Serial Number: 1d9e4492e1d9d0c69228ee5a7c565aff Events: <none> Not Before: 2024-02-19T13:35:25+08:00 Not After: 2024-05-19T13:35:25+08:00 Renewal Time: 2024-04-19T13:35:25+08:00 # 下次自動更新憑證日期 No CertificateRequest found for this Certificate ``` * 檢查 Certificate 內容 ``` $ cmctl -n cattle-system inspect -v secret tls-rancher-ingress Valid for: DNS Names: - bigred.cooloo9871.com URIs: <none> IP Addresses: <none> Email Addresses: <none> Usages: - digital signature - key encipherment Validity period: Not Before: Mon, 19 Feb 2024 05:35:25 UTC Not After: Sun, 19 May 2024 05:35:25 UTC Issued By: Common Name: dynamiclistener-ca@1692151175 Organization: dynamiclistener-ca@1692151175 OrganizationalUnit: dynamiclistener-org Country: <none> Issued For: Common Name: <none> Organization: <none> OrganizationalUnit: <none> Country: <none> Certificate: Signing Algorithm: ECDSA-SHA256 Public Key Algorithm: RSA Serial Number: 39369385622473288503575048514340018943 Fingerprints: 62:7A:2D:D0:DD:18:8D:78:54:25:BC:B7:DB:16:20:26:26:22:55:28:73:35:3E:E9:8B:20:FE:B3:2F:B9:A4:1E Is a CA certificate: false CRL: <none> OCSP: <none> Debugging: Trusted by this computer: no: x509: certificate signed by unknown authority CRL Status: No CRL endpoints set OCSP Status: Cannot check OCSP: No OCSP Server set ``` ## cert-manager 自動 rotate * cert-manager 預設簽署憑證有效期限為 90 天，預設在第 60 天會自動更新 ``` $ kubectl -n cattle-system get certificaterequest NAME APPROVED DENIED READY ISSUER REQUESTOR AGE tls-rancher-ingress-4k7kf True True rancher system:serviceaccount:cert-manager:cert-manager 44m tls-rancher-ingress-582gk True True rancher system:serviceaccount:cert-manager:cert-manager 18d tls-rancher-ingress-jmv5t True True rancher system:serviceaccount:cert-manager:cert-manager 84d ```