Catalog Not Loading - Behind Corporate Proxy with SSL-Inspection

I am working on getting my Rancher-HA cluster to connect to Catalog. My nodes are behind a Corporate Proxy that also does SSL-Inspection. I.e. - certificates presented by ALL external endpoints are unpacked at the corporate boundary and re-signed by the Corporate CA before being sent back to my Rancher-HA cluster.

I have successfully added outbound proxy rules to my rancher-config.yml file, but am now seeing Unknown Certificate Authority errors when attempting to connect to the Rancher Catalog at git.rancher.io

Basic question - how do I append a new CA to my cluster’s CA-trusts ?

After working at this for a while, I found a solution.

If you deployed Rancher using Helm, there is this option:

# Additional Trusted CAs.
# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
# See README.md for details.
additionalTrustedCAs: false

In the cluster where Rancher is installed, create a secret in the cattle-system namespace as follows:

name: tls-ca-additional
key: ca-additional.pem
value: [concatenated pem of root and intermediate CAs]

Then set the additionalTrustedCAs to true, and upgrade your Rancher helm chart.
What it does, is mounts the secret at /etc/ssl/certs/ca-additional.pem, and now Rancher is able to fetch catalogs through SSL interception.

1 Like

That was useful, thanks!