I can’t pull updates to the Rancher hosted catalogs. I get 128 errors. I’m running rancher behind a proxy, but my proxy settings seem correct as I can pull the github version of the community catalog. I also can’t pull the rancher hosted catalogs from my desktop machine (not the same machine that is hosting rancher, but on the same network.) I get “fatal: unable to access ‘https://git.rancher.io/rancher-catalog.git/’: SSL certificate problem: unable to get local issuer certificate” there. My corporate overlords do SSL interception on the network, but again GitHub is working on the Rancher machine, so I’m not certain that is a culprit. Any thoughts?
I’m guessing maybe the corporate overlord proxy special-cases some domains (SNI hosts) for some reason? git.rancher.io ironically exists because some customers have all of GitHub blocked from server networks as corporate policy. It has a valid cert and obviously we serve up enough of the chain for the server container to verify it…
If you do openssl s_client -connect git.rancher.io:443 who’s the cert issued by? How about GitHub.com, or a random TLS domain?
See, I thought it might too, but I get “OK” when I go to git.rancher.io in a browser, so I doubt it’s a blanket block on the domain.
When I try that openssl command on the host, I get gethostbyname failure connect:errno=0. Same thing with github.com. However, if I just do a git clone https://git.rancher.io/rancher-catalog.git onto some place on the host, it will pull the repo perfectly. If I curl git.rancher.io:443 I get a 504 from the corporate proxy. This makes sense I think because curl has it’s own trusted certificate store and isn’t installed there by our normal cert install process.
I’m starting to think I might have to put our corporate root cert somewhere in particular to get this to work. It has to be installed on our machines in order for anything to work usually. It is installed on the host, but I wonder if it needs to be somewhere for Rancher and I just haven’t noticed yet.
Seems like several different weird things going on…
A 504 (Gateway Timeout) does not make sense; If curl doesn’t like the cert it will show the warning and tell you to use --insecure/-k. Cert verification happens during the handshake before the request. So that suggest curl is happy with the cert returned, sends the request, and the proxy attempts to contact the actual git.rancher.io but does not get a response.
Separately, gethostbyname failure means the DNS lookup failed…
Yes the cert being on the host isn’t going to help the server container. You can use the same bind-mount in https://rancher.com/docs/rancher/v1.6/en/installing-rancher/installing-server/basic-ssl-config/#using-self-signed-certs-beta to add more ca-certs to the container.