Agent can't connect to Apache SSL Reverse Proxy

Hi all,

Excellent product, first of all.

I was able to get a server and agent to talk to each other without issues in the cloud with public IPs.

Next step was to secure it. So I was able to get that up and running without much issue with my existing Apache2 setup. However, I can’t get the rancher/agent to successfully connect to rancher/server.

I noticed, on the agent that adding the agent container creates 3, and 1 stays up trying to connect. No ports are blocked, so I’m quite stumped.

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
93f2f489978c rancher/agent:v0.8.2 “/run.sh run” 2 hours ago Up 6 minutes rancher-agent
a68190eef014 rancher/agent:v0.8.2 “/run.sh state” 2 hours ago Exited (0) 2 hours ago rancher-agent-state
cb90694ec542 rancher/agent:v0.8.2 “/run.sh https://ranc” 2 hours ago Exited (0) 2 hours ago hopeful_wescoff

I do see this error, which I am puzzled about:

2015-11-08 03:44:51,713 ERROR root [140071172713680] [_logging.py:54] (‘Received websocket error: [%s]’, CertificateError(“hostname ‘rancher.REDACTED.com’ doesn’t match either of ‘www.REDACTED.com’, ‘REDACTED.com’”,))

Help!

Have you looked at the docs about SSL?

http://docs.rancher.com/rancher/installing-rancher/installing-server/basic-ssl-config/#apache-configuration

The agent verifies that the certificate it receives is valid. Without this, SSL is rather pointless because you’re “securing” a connection to what could be anybody.

That error says it received a cert which is only valid for requests to {www.}redacted.com, but the request was for rancher.redacted.com. It’s the equivalent of the big scary error you see in a browser when you go to a site where’s the cert doesn’t match. So you need a certificate which is for the domain rancher.redacted.com, or use one of the 2 names the existing cert is valid for as the fqdn for rancher.

Thank you, I see the mismatch issue but the cert was generated for rancher.redacted.com, from startssl. And does not produce an error in the browser which is why I said it was puzzling.

Anyhow, I’ve generated self-signed certs but they cause the agent to be in a worse condition connection wise:

ERROR: https://rancher.redacted.com/v1 is not accessible
ERROR: https://rancher.redacted.com/v1 is not accessible
ERROR: https://rancher.redacted.com/v1 is not accessible
ERROR: Could not reach https://rancher.redacted.com/v1. Giving up.

So my next idea is to run it on [www.]redacted.com on port 8081 and proxy back to 8080 and see if the agent will connect that way.