Step-by-step guide

The described way to upload a certificate to the cluster is correct!

1. We upload certificates in Rancher as Secrets
2. We update the ingress configs to use the right certificate
3. We point our domains to Fastly by using following config: Domains and Certificates :: Magnolia CMS Docs (

> This way we are doing all config within Rancher. Sorry if its a naive question, but how is Fastly (CDN) able to serve https requests? We are only adding the certificate at origin (production cluster), how is the https request managed at CDN level?

Not a naive question, because the certificate that you upload must of course being uploaded to the CDN. For Fastly we automatically do this for you with our Operator, which is running on the cluster and does the upgrade. In the end it reconciles Ingress Objects with the annotation: 

 annotations: fastly

> Another issue I have is that I am not able to add secretes in production cluster in rancher, the option to add certificates is only visible in dev/uat.

Have you selected the correct namespaces on the top right?
Then you should be able to see the secrets in the according namespace. Rancher GUI will only show resources for the selected namespace

> And do we still need to do the acme challenge verification in cockpit when we are uploading our own certificates via rancher?

No, as said earlier. Using the cockpit is only an option. But you can also do it the way described before. The ACME challenge will be handled within the cluster anyways.