About Custom CA Root Certificates
If you’re using Rancher in an internal production environment where you aren’t exposing apps publicly, use a certificate from a private certificate authority (CA).
Services that Rancher needs to access are sometimes configured with a certificate from a custom/internal CA root, also known as self signed certificate. If the presented certificate from the service cannot be validated by Rancher, the following error displays: x509: certificate signed by unknown authority
.
To validate the certificate, the CA root certificates need to be added to Rancher. As Rancher is written in Go, we can use the environment variable SSL_CERT_DIR
to point to the directory where the CA root certificates are located in the container. The CA root certificates directory can be mounted using the Docker volume option (-v host-source-directory:container-destination-directory
) when starting the Rancher container.
Examples of services that Rancher can access:
- Catalogs
- Authentication providers
- Accessing hosting/cloud API when using Node Drivers
Installing with the custom CA Certificate
For details on starting a Rancher container with your private CA certificates mounted, refer to the installation docs: