Agent can't connect to Apache SSL Reverse Proxy

daze · November 8, 2015, 3:46am

Hi all,

Excellent product, first of all.

I was able to get a server and agent to talk to each other without issues in the cloud with public IPs.

Next step was to secure it. So I was able to get that up and running without much issue with my existing Apache2 setup. However, I can’t get the rancher/agent to successfully connect to rancher/server.

I noticed, on the agent that adding the agent container creates 3, and 1 stays up trying to connect. No ports are blocked, so I’m quite stumped.

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
93f2f489978c rancher/agent:v0.8.2 “/run.sh run” 2 hours ago Up 6 minutes rancher-agent
a68190eef014 rancher/agent:v0.8.2 “/run.sh state” 2 hours ago Exited (0) 2 hours ago rancher-agent-state
cb90694ec542 rancher/agent:v0.8.2 “/run.sh https://ranc” 2 hours ago Exited (0) 2 hours ago hopeful_wescoff

I do see this error, which I am puzzled about:

2015-11-08 03:44:51,713 ERROR root [140071172713680] [_logging.py:54] (‘Received websocket error: [%s]’, CertificateError(“hostname ‘rancher.REDACTED.com’ doesn’t match either of ‘www.REDACTED.com’, ‘REDACTED.com’”,))

Help!

denise · November 14, 2015, 3:44pm

Have you looked at the docs about SSL?

http://docs.rancher.com/rancher/installing-rancher/installing-server/basic-ssl-config/#apache-configuration

vincent · November 14, 2015, 4:09pm

The agent verifies that the certificate it receives is valid. Without this, SSL is rather pointless because you’re “securing” a connection to what could be anybody.

That error says it received a cert which is only valid for requests to {www.}redacted.com, but the request was for rancher.redacted.com. It’s the equivalent of the big scary error you see in a browser when you go to a site where’s the cert doesn’t match. So you need a certificate which is for the domain rancher.redacted.com, or use one of the 2 names the existing cert is valid for as the fqdn for rancher.

daze · November 14, 2015, 5:50pm

Thank you, I see the mismatch issue but the cert was generated for rancher.redacted.com, from startssl. And does not produce an error in the browser which is why I said it was puzzling.

Anyhow, I’ve generated self-signed certs but they cause the agent to be in a worse condition connection wise:

ERROR: https://rancher.redacted.com/v1 is not accessible
ERROR: https://rancher.redacted.com/v1 is not accessible
ERROR: https://rancher.redacted.com/v1 is not accessible
ERROR: Could not reach https://rancher.redacted.com/v1. Giving up.

So my next idea is to run it on [www.]redacted.com on port 8081 and proxy back to 8080 and see if the agent will connect that way.

Topic		Replies	Views
Rancher SSL Agent can't connect Rancher 1.x	2	1799	May 26, 2016
Can't connect agent to ssl enabled rancher Rancher 1.x	0	853	April 10, 2016
HAProxy Reverse Proxy in front of Rancher Server issue Rancher 1.x	0	1653	August 28, 2016
Rancher agent cannot connect with self-signed server cert Rancher 1.x	1	1338	March 3, 2017
Cannot add rancher agent to rancher ssl server Rancher 1.x	3	2058	July 10, 2015

Agent can't connect to Apache SSL Reverse Proxy

Related topics