dashboard
dashboard copied to clipboard
rancher
Wrong Certificate Information Showing
Internal reference: SURE-5309 Reported in 2.6.4 & 2.6.8
Issue description: Certificate information shows in the UI only shows information on the last certificate in the chain (typically the root CA) so the domain is usually not listed, and the expiration date is not correct. This means for those looking for expired certificates, the information provided in the UI is useless and would require manual review to validate.
Repro steps:
- Install rancher 2.6.4 with a signed cert
- Check the secret in the UI
Actual behavior: Shows root CA information
Expected behavior: Shows certificate information
More details on repro:
I replicated the current behavior by selecting/browsing the local cluster, removing the user resource filter, and going to secrets, I confirmed that it showed only the CA cert [and its] expiration.
✅ PASSED
Reproduction Environment
| Component | Version / Type |
|---|---|
| Rancher version | v2.7.1 |
| Installation option | Helm (high availability) |
| RKE binary version used | v1.4.0 |
| If Helm Chart k8s cluster | v1.24.6 |
| Cert Details | Let's Encrypt / nginx |
| Docker version | 20.10.7, build f0df350 |
| Helm version | v2.16.8-rancher2 |
| Downstream cluster type | not applicable |
| Downstream K8s version | not applicable |
| Authentication providers enabled | local |
| Logged in user role | standard, admin |
| Browser type | google chrome |
| Browser version | 111.0.5563.110 |
🚨 Additional Reproduction Setup Details: Click to Expand
Created with: https://github.com/brudnak/aws-ha-infra
Reproduction steps
- Deploy Rancher 2.7.1 in RKE1 HA and compare the certificate expiration time of a special serving-cert
- Starting from the default Rancher homepage
/dashboard/home - Click
hamburger menu>>>Storage>>>Secrets>>> filter tokube-system - Click
Kubectl Shell - Run the following command:
k get secret -n cattle-system serving-cert -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
- Compare the value returned via the kubectl command to what is displayed in the Rancher UI as the TLS Certificate
Expiresdate - These dates do not match
Additional Info
RESULTS
✅ Expected
For the UI to correctly display the TLS Certificate expires date
❌ Actual
The UI did not correctly display the TLS Certificate expires date
Validation Environment
| Component | Version / Type |
|---|---|
| Rancher version | v2.7-7913e283ff90eebd1f8cc48860a6b410d72cd4dd-head |
| Rancher commit link | https://github.com/rancher/rancher/commit/7913e283ff90eebd1f8cc48860a6b410d72cd4dd |
| Installation option | Helm (high availability) |
| RKE binary version used | v1.4.0 |
| If Helm Chart k8s cluster | v1.24.6 |
| Cert Details | Let's Encrypt / nginx |
| Docker version | 20.10.7, build f0df350 |
| Helm version | v2.16.8-rancher2 |
| Downstream cluster type | not applicable |
| Downstream K8s version | not applicable |
| Authentication providers enabled | local |
| Logged in user role | standard, admin |
| Browser type | google chrome |
| Browser version | 111.0.5563.110 |
🚨 Additional Reproduction Setup Details: Click to Expand
Created with: https://github.com/brudnak/aws-ha-infra
Validation steps
- Deploy Rancher 2.7.1 in RKE1 HA and compare the certificate expiration time of a special serving-cert
- Starting from the default Rancher homepage
/dashboard/home - Click
hamburger menu>>>Storage>>>Secrets>>> filter tokube-system - Click
Kubectl Shell - Run the following command:
k get secret -n cattle-system serving-cert -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text | grep Not
- Compare the value returned via the kubectl command to what is displayed in the Rancher UI as the TLS Certificate
Expiresdate
Additional Info
RESULTS
✅ Expected
For the UI to correctly display the TLS Certificate expires date
✅ Actual
For the UI to correctly display the TLS Certificate expires date
