Problem with SSL by trying to add a host

Hi All,

I use Let’s Encrypt to generate and manage our SSL certificates. We installed our Rancher in HA mode, and now it works fine. But it was impossible for us to add a host !

Terrible !

As describe in this post we met some certificat validation error.

The logs of the rancher/agent:v1.0.2 instance here:

`
Updating certificates in /etc/ssl/certs… 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…done.

INFO: Running Agent Registration Process, CATTLE_URL=https://<>.<>.<>/v1
INFO: Checking for Docker version >= 1.6.0
INFO: Found Server version: 1.10.3
INFO: docker version: Client version: 1.6.0
INFO: docker version: Client API version: 1.18
INFO: docker version: Go version (client): go1.4.2
INFO: docker version: Git commit (client): 4749651
INFO: docker version: OS/Arch (client): linux/amd64
INFO: docker version: Server version: 1.10.3
INFO: docker version: Server API version: 1.22
INFO: docker version: Go version (server): go1.5.4
INFO: docker version: Git commit (server): 3cd164c
INFO: docker version: OS/Arch (server): linux/amd64
INFO: docker info: Containers: 1
INFO: docker info: Images: 30
INFO: docker info: Storage Driver: overlay
INFO: docker info: Backing Filesystem: extfs
INFO: docker info: Execution Driver: native-0.2
INFO: docker info: Kernel Version: 4.6.3-coreos
INFO: docker info: Operating System: CoreOS 1068.10.0 (MoreOS)
INFO: docker info: CPUs: 2
INFO: docker info: Total Memory: 7.616 GiB
INFO: docker info: Name: rancher011
INFO: docker info: ID: 5LGQ:QP74:ALX4:ZLHW:LSSH:ADLC:I2HX:PLWN:6UUD:CL54:Y6U4:NHW2
INFO: docker info: Http Proxy:
INFO: docker info: Https Proxy:
INFO: docker info: No Proxy:
INFO: Attempting to connect to: https://<>.<>.<>/v1
INFO: https://<>.<>.<>/v1 is accessible
Traceback (most recent call last):
File “./resolve_url.py”, line 9, in
r = requests.get(url)
File “/usr/local/lib/python2.7/site-packages/requests/api.py”, line 67, in get
return request(‘get’, url, params=params, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/api.py”, line 53, in request
return session.request(method=method, url=url, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 468, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 576, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/adapters.py”, line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)”,)
curl: no URL specified!
curl: try ‘curl --help’ or ‘curl --manual’ for more information
ERROR: returned
ERROR: — START —
ERROR: — END —

ERROR: Failed to load registration env from CATTLE_URL=https://<>.<>.<>/v1 ENV_URL=
ERROR: Please ensure the proper value for the Host Registration URL is set
`

So as you can see we faced an exception "requests.exceptions.SSLError: ("bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, "

In the Rancher Agent project (https://github.com/rancher/rancher/tree/master/agent) we modify the run.sh

git diff of the modification we make (after so many tests)


diff --git a/agent/run.sh b/agent/run.sh index 156a8fb..1e582d1 100755 --- a/agent/run.sh +++ b/agent/run.sh @@ -63,7 +63,8 @@ print_url() setup_custom_ca_bundle() { check_and_add_conf "CURL_CA_BUNDLE" ${CA_CERT_FILE} - check_and_add_conf "REQUESTS_CA_BUNDLE" ${CA_CERT_FILE} +# check_and_add_conf "REQUESTS_CA_BUNDLE" ${CA_CERT_FILE} + check_and_add_conf "REQUESTS_CA_BUNDLE" "/etc/ssl/certs/ca-certificates.crt" # Update core container CA certs for Golang mkdir -p /usr/local/share/ca-certificates/rancher

We spent so many time on this error ! We finally resolved by replacing the ${CA_CERT_FILE} by the openssl file that contains all certificates (and ours too): /etc/ssl/certs/ca-certificates.crt.

For Let’s Encrypt certificates, it works for us. I suppose, it’s a bug of Rancher Agent. We did not tested with other certificate provider.

Could other folks confime if this patch works for them too ?

Cheers

2 Likes