Skip to main content
Version: 2.4.15

Certificate Troubleshooting

How Do I Know if My Certificates are in PEM Format?#

You can recognize the PEM format by the following traits:

  • The file begins with the following header:
    -----BEGIN CERTIFICATE-----
  • The header is followed by a long string of characters.
  • The file ends with a footer: -----END CERTIFICATE-----

PEM Certificate Example:

----BEGIN CERTIFICATE-----MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV... more linesVWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==-----END CERTIFICATE-----

PEM Certificate Key Example:

-----BEGIN RSA PRIVATE KEY-----MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV... more linesVWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==-----END RSA PRIVATE KEY-----

If your key looks like the example below, see Converting a Certificate Key From PKCS8 to PKCS1.

-----BEGIN PRIVATE KEY-----MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV... more linesVWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==-----END PRIVATE KEY-----

Converting a Certificate Key From PKCS8 to PKCS1#

If you are using a PKCS8 certificate key file, Rancher will log the following line:

ListenConfigController cli-config [listener] failed with : failed to read private key: asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:13 isCompound:true})

To make this work, you will need to convert the key from PKCS8 to PKCS1 using the command below:

openssl rsa -in key.pem -out convertedkey.pem

You can now use convertedkey.pem as certificate key file for Rancher.

What is the Order of Certificates if I Want to Add My Intermediate(s)?#

The order of adding certificates is as follows:

-----BEGIN CERTIFICATE-----%YOUR_CERTIFICATE%-----END CERTIFICATE----------BEGIN CERTIFICATE-----%YOUR_INTERMEDIATE_CERTIFICATE%-----END CERTIFICATE-----

How Do I Validate My Certificate Chain?#

You can validate the certificate chain by using the openssl binary. If the output of the command (see the command example below) ends with Verify return code: 0 (ok), your certificate chain is valid. The ca.pem file must be the same as you added to the rancher/rancher container.

When using a certificate signed by a recognized Certificate Authority, you can omit the -CAfile parameter.

Command:

openssl s_client -CAfile ca.pem -connect rancher.yourdomain.com:443...    Verify return code: 0 (ok)