SUSE Support

Here When You Need Us

How to use External TLS Termination with AWS

This document (000020109) is provided subject to the disclaimer at the end of this document.

Situation

Task

This document covers setting up Rancher using an AWS SSL certificate and an ALB (Application Load Balancer).

Requirements

  • Running Rancher management servers on AWS

Resolution

Configure the SSL certificate
Create the Target Group
  1. Log into the AWS Console to get started.
  2. Use Create a Target Group to create a Target group using the data in the tables below to complete the procedure:

    - Target Group Name: rancher-http-80 - Protocol: http - Port: 80 - Target type: instance - VPC: Choose your VPC - Protocol (Health Check): http - Path (Health Check): /healthz

  3. Use Register Targets to Rancher management servers making sure to use the port 80.

Create the ALB
  1. From your web browser, navigate to the Amazon EC2 Console.
  2. From the navigation pane, choose LOAD BALANCING > Load Balancers.
  3. Click Create Load Balancer.
  4. Choose Application Load Balancer.
  5. Complete the Step 1: Configure Load Balancer form:

    - Basic Configuration - Name: rancher-http - Scheme: internet-facing - IP address type: ipv4 - Listeners - Add the Load Balancer Protocols and Load Balancer Ports below. - HTTP: 80 - HTTPS: 443 - Availability Zones - Select Your VPC and Availability Zones.

  6. Complete the Step 2: Configure Security Settings form.

    - Configure the certificate you want to use for SSL termination.

  7. Complete the Step 3: Configure Security Groups form.

  8. Complete the Step 4: Configure Routing form.

    - From the Target Group drop-down, choose Existing target group. - Add target group rancher-http-80.

  9. Complete Step 5: Register Targets. Since you registered your targets earlier, all you have to do it click Next: Review.

  10. Complete Step 6: Review. Look over the load balancer details and click Create when you’re satisfied.
  11. After AWS creates the ALB, click Close.
Configure External TLS Termination for Rancher

You need to add the option --set tls=external to your Rancher install, per the following example: helm install rancher rancher-latest/rancher --namespace cattle-system --set hostname=mmattox-example.support.rancher.space --version 2.3.6 --set tls=external

Verification

Run the following command to verify new certificate:

curl --insecure -v https://<<Rancher Hostname>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

Example output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.rancher.tools
*  start date: Jul  2 00:42:01 2019 GMT
*  expire date: May  2 00:19:41 2020 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host mmattox-example.support.rancher.space left intact

NOTE: Some browsers will cache the certificate. Details on how to clear the SSL state in a browser can be found here.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020109
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.