Rotation of Expired Webhook Certificates

For Rancher versions that have rancher-webhook installed, certain versions created certificates that will expire after one year. It will be necessary for you to rotate your webhook certificate if the certificate did not renew.

In Rancher v2.6.3 and up, rancher-webhook deployments will automatically renew their TLS certificate when it is within 30 or fewer days of its expiration date. If you are using v2.6.2 or below, there are two methods to work around this issue:

1. Users with cluster access, run the following commands:
  1. kubectl delete secret -n cattle-system cattle-webhook-tls
  2. kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io --ignore-not-found=true rancher.cattle.io
  3. kubectl delete pod -n cattle-system -l app=rancher-webhook
2. Users with no cluster access via kubectl:
  1. Delete the cattle-webhook-tls secret in the cattle-system namespace in the local cluster.

  2. Delete the rancher.cattle.io mutating webhook

  3. Delete the rancher-webhook pod in the cattle-system namespace in the local cluster.

Rotation of Expired Webhook Certificates - 图1note

The webhook certificate expiration issue is not specific to cattle-webhook-tls as listed in the examples. You will fill in your expired certificate secret accordingly.