Problem with SSL by trying to add a host

Continuing the discussion from GeoTrust Global CA not supported?:

Hey Vincent,

i had the same problem like JD_Trout, i also have forgotten to add the intermediate CA… i did this and also tested this one:

docker run --entrypoint openssl rancher/agent:v0.11.0 s_client -CApath /etc/ssl/certs/ -connect www.study1.eu:443 | grep local
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 CN = www.study1.eu
verify return:1
DONE

But now i’m getting this error when i try to add a host:

INFO: https://www.study1.eu/v1 is accessible
Traceback (most recent call last):
File “./resolve_url.py”, line 9, in
r = requests.get(url)
File “/usr/local/lib/python2.7/site-packages/requests/api.py”, line 67, in get
return request(‘get’, url, params=params, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/api.py”, line 53, in request
return session.request(method=method, url=url, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 468, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 576, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/adapters.py”, line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)”,)
curl: no URL specified!
curl: try ‘curl --help’ or ‘curl --manual’ for more information
ERROR: returned
ERROR: — START —
ERROR: — END —

ERROR: Failed to load registration env from CATTLE_URL=https://www.study1.eu/v1 ENV_URL=
ERROR: Please ensure the proper value for the Host Registration URL is set

Still seems so, that i misconfigured somethink with the certificates, but this time i’m getting one step further…

Any Ideas for the last step? :slight_smile:

Regards,
Florian

It seems like you’re missing part of the command in the docker run command.

Would you be able to share the command that you used to start rancher/agent?

sudo docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v0.11.0 https://www.study1.eu/v1/scripts/

In the directory /var/lib/rancher/etc/ssl i stored alle certificates in one file…

GeoTrust Global CA / RapidSSL SHA256 CA - G3 / www.study1.eu

Typically a docker run command will be more like

sudo docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.0.1 http://<serverURL>:8080/v1/scripts/<token_to_environment>

You’re missing the <token_to_environment> section of the command.

My Rancher UI say i should run this command on a Host:

sudo docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v0.11.0 https://www.study1.eu/v1/scripts/AA1DEB8D7EA51C985:1463562000000:VMdjRSSh6Ol8BezwWe6WP3
(i removed some token content…)
Rancher v1.0.0
Cattle v0.159.2
User Interface v0.100.3
Rancher Compose v0.7.3

I noticed that your command uses Agent Version v1.0.1 and my one uses v0.11.0, which rancher version you are using?

The UI will always provide the correct rancher/agent version to be launched. I was using either v1.0.1 or v1.1.0-dev2-rc3 to get my example, which is using rancher/agent v1.0.1.

If you are running v1.0.0, then you should use rancher/agent:v0.11.0.

Hi All,

I use Let’s Encrypt to generate and manage our SSL certificates. We installed our Rancher in HA mode, and now it works fine. But it was impossible for us to add a host !

Terrible !

As describe in this post we met some certificat validation error.

The logs of the rancher/agent:v1.0.2 instance here:

`
Updating certificates in /etc/ssl/certs… 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…done.

INFO: Running Agent Registration Process, CATTLE_URL=https://<>.<>.<>/v1
INFO: Checking for Docker version >= 1.6.0
INFO: Found Server version: 1.10.3
INFO: docker version: Client version: 1.6.0
INFO: docker version: Client API version: 1.18
INFO: docker version: Go version (client): go1.4.2
INFO: docker version: Git commit (client): 4749651
INFO: docker version: OS/Arch (client): linux/amd64
INFO: docker version: Server version: 1.10.3
INFO: docker version: Server API version: 1.22
INFO: docker version: Go version (server): go1.5.4
INFO: docker version: Git commit (server): 3cd164c
INFO: docker version: OS/Arch (server): linux/amd64
INFO: docker info: Containers: 1
INFO: docker info: Images: 30
INFO: docker info: Storage Driver: overlay
INFO: docker info: Backing Filesystem: extfs
INFO: docker info: Execution Driver: native-0.2
INFO: docker info: Kernel Version: 4.6.3-coreos
INFO: docker info: Operating System: CoreOS 1068.10.0 (MoreOS)
INFO: docker info: CPUs: 2
INFO: docker info: Total Memory: 7.616 GiB
INFO: docker info: Name: rancher011
INFO: docker info: ID: 5LGQ:QP74:ALX4:ZLHW:LSSH:ADLC:I2HX:PLWN:6UUD:CL54:Y6U4:NHW2
INFO: docker info: Http Proxy:
INFO: docker info: Https Proxy:
INFO: docker info: No Proxy:
INFO: Attempting to connect to: https://<>.<>.<>/v1
INFO: https://<>.<>.<>/v1 is accessible
Traceback (most recent call last):
File “./resolve_url.py”, line 9, in
r = requests.get(url)
File “/usr/local/lib/python2.7/site-packages/requests/api.py”, line 67, in get
return request(‘get’, url, params=params, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/api.py”, line 53, in request
return session.request(method=method, url=url, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 468, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 576, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/adapters.py”, line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)”,)
curl: no URL specified!
curl: try ‘curl --help’ or ‘curl --manual’ for more information
ERROR: returned
ERROR: — START —
ERROR: — END —

ERROR: Failed to load registration env from CATTLE_URL=https://<>.<>.<>/v1 ENV_URL=
ERROR: Please ensure the proper value for the Host Registration URL is set
`

So as you can see we faced an exception "requests.exceptions.SSLError: ("bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, "

In the Rancher Agent project (https://github.com/rancher/rancher/tree/master/agent) we modify the run.sh

git diff of the modification we make (after so many tests)


diff --git a/agent/run.sh b/agent/run.sh index 156a8fb..1e582d1 100755 --- a/agent/run.sh +++ b/agent/run.sh @@ -63,7 +63,8 @@ print_url() setup_custom_ca_bundle() { check_and_add_conf "CURL_CA_BUNDLE" ${CA_CERT_FILE} - check_and_add_conf "REQUESTS_CA_BUNDLE" ${CA_CERT_FILE} +# check_and_add_conf "REQUESTS_CA_BUNDLE" ${CA_CERT_FILE} + check_and_add_conf "REQUESTS_CA_BUNDLE" "/etc/ssl/certs/ca-certificates.crt" # Update core container CA certs for Golang mkdir -p /usr/local/share/ca-certificates/rancher

We spent so many time on this error ! We finally resolved by replacing the ${CA_CERT_FILE} by the openssl file that contains all certificates (and ours too): /etc/ssl/certs/ca-certificates.crt.

For Let’s Encrypt certificates, it works for us. I suppose, it’s a bug of Rancher Agent. We did not tested with other certificate provider.

Could other folks confime if this patch works for them too ?

Cheers

2 Likes