Contact us
ArticlesAscender

Add an SSL Certificate to an Ascender Instance That Was Set Up Without a Certificate

ascenderkubernetessslcertificates

Stephen Simpson
Senior Customer Support Engineer

Apr 02, 2025

Introduction

This document outlines how to add an SSL certificate to an existing Ascender installation, assuming you have a valid and working Ascender installation. The recommended installation method is the ascender-install script from the CIQ repository.

A requirement for successfully adding an SSL certificate, is to have one initially generated. This is not discussed in this article and creating an SSL certificate is necessary before continuing with this guide. The Common Name (CN) field in the certificate needs to exactly correlate with the URL you have set for your Ascender instance. Both the certificate and private key must be in PEM format. The certificate has to be stored with a .crt or .cer file extension and the private key assigned a .key file extension.

Problem

When Ascender was installed, the http option was chosen instead of https. As a result, Ascender is using a default self-signed certificate and has no options within the custom.config.yml file to use other certificates.

Resolution

After installing Ascender with the ascender-install scripts from CIQ, a custom.config.yml file is created. This includes all the variables required for the initial install process. Change each of the variables in this file like the example below:

  • kube_install: In your case, a kubernetes cluster on Ascender is running already. This value needs to be set to false.
  • download_kubeconfig: Similarly to the above, this value also needs to be configured as false. This is due to the reason that a valid KUBECONFIG file used for authentication already exists in your Ascender instance.
  • k8s_lb_protocol: Change this from http to https.

Go to the bottom of the file and include these lines:

  • tls_crt_path: Details the path of where the certificate is located.
  • tls_key_path: Here will be the path to where the private key is found.

An example of the above configuration steps:

tls_crt_path: ~/ascender.crt
tls_key_path: ~/ascender.key

Run the setup.sh script again and you will find the new certificate successfully installed. Run the command illustrated below to observe if the new certificate has been successfully applied or not:

echo | openssl s_client -connect your-ascender-hostname:443 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName -dates

References & related articles

CIQ Ascender
Ascender Install Scripts and Documentation
Ascender Feature Overview
Ascender Installation Video
Generating SSL Keys
Generating SSL Keys with Lets Encrypt