Certificate Troubleshooting


How Do I Know if My Certificates are in PEM Format?

You can recognize the PEM format by the following traits:

  • The file begins with the following header: -----BEGIN CERTIFICATE-----
  • The header is followed by a long string of characters.
  • The file ends with a footer: —–END CERTIFICATE—–

PEM Certificate Example:

  1. ----BEGIN CERTIFICATE-----
  2. MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
  3. ... more lines
  4. VWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==
  5. -----END CERTIFICATE-----

PEM Certificate Key Example:

  1. -----BEGIN RSA PRIVATE KEY-----
  2. MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
  3. ... more lines
  4. VWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==
  5. -----END RSA PRIVATE KEY-----

If your key looks like the example below, see Converting a Certificate Key From PKCS8 to PKCS1.

  1. -----BEGIN PRIVATE KEY-----
  2. MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
  3. ... more lines
  4. VWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==
  5. -----END PRIVATE KEY-----

Converting a Certificate Key From PKCS8 to PKCS1

If you are using a PKCS8 certificate key file, Rancher will log the following line:

  1. ListenConfigController cli-config [listener] failed with : failed to read private key: asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:13 isCompound:true})

To make this work, you will need to convert the key from PKCS8 to PKCS1 using the command below:

  1. openssl rsa -in key.pem -out convertedkey.pem

You can now use convertedkey.pem as certificate key file for Rancher.

What is the Order of Certificates if I Want to Add My Intermediate(s)?

The order of adding certificates is as follows:

  1. -----BEGIN CERTIFICATE-----
  2. %YOUR_CERTIFICATE%
  3. -----END CERTIFICATE-----
  4. -----BEGIN CERTIFICATE-----
  5. %YOUR_INTERMEDIATE_CERTIFICATE%
  6. -----END CERTIFICATE-----

How Do I Validate My Certificate Chain?

You can validate the certificate chain by using the openssl binary. If the output of the command (see the command example below) ends with Verify return code: 0 (ok), your certificate chain is valid. The ca.pem file must be the same as you added to the rancher/rancher container.

When using a certificate signed by a recognized Certificate Authority, you can omit the -CAfile parameter.

Command:

  1. openssl s_client -CAfile ca.pem -connect rancher.yourdomain.com:443
  2. ...
  3. Verify return code: 0 (ok)