Agent can't connect to Apache SSL Reverse Proxy

Hi all,

Excellent product, first of all.

I was able to get a server and agent to talk to each other without issues in the cloud with public IPs.

Next step was to secure it. So I was able to get that up and running without much issue with my existing Apache2 setup. However, I can’t get the rancher/agent to successfully connect to rancher/server.

I noticed, on the agent that adding the agent container creates 3, and 1 stays up trying to connect. No ports are blocked, so I’m quite stumped.

93f2f489978c rancher/agent:v0.8.2 “/ run” 2 hours ago Up 6 minutes rancher-agent
a68190eef014 rancher/agent:v0.8.2 “/ state” 2 hours ago Exited (0) 2 hours ago rancher-agent-state
cb90694ec542 rancher/agent:v0.8.2 “/ https://ranc” 2 hours ago Exited (0) 2 hours ago hopeful_wescoff

I do see this error, which I am puzzled about:

2015-11-08 03:44:51,713 ERROR root [140071172713680] [] (‘Received websocket error: [%s]’, CertificateError(“hostname ‘’ doesn’t match either of ‘’, ‘’”,))


Have you looked at the docs about SSL?

The agent verifies that the certificate it receives is valid. Without this, SSL is rather pointless because you’re “securing” a connection to what could be anybody.

That error says it received a cert which is only valid for requests to {www.}, but the request was for It’s the equivalent of the big scary error you see in a browser when you go to a site where’s the cert doesn’t match. So you need a certificate which is for the domain, or use one of the 2 names the existing cert is valid for as the fqdn for rancher.

Thank you, I see the mismatch issue but the cert was generated for, from startssl. And does not produce an error in the browser which is why I said it was puzzling.

Anyhow, I’ve generated self-signed certs but they cause the agent to be in a worse condition connection wise:

ERROR: is not accessible
ERROR: is not accessible
ERROR: is not accessible
ERROR: Could not reach Giving up.

So my next idea is to run it on [www.] on port 8081 and proxy back to 8080 and see if the agent will connect that way.