GeoTrust Global CA not supported?

I setup a rancher server behind an AWS ELB with SSL. I followed the instructions on the basic-ssl-config page. Accessing rancher via the web browser works fine and looking in the console I even see a socket open, so I am fairly confident the config on the ELB is correct. The issue is when trying to add an agent I keep getting the following error:

ERROR: is not accessible

Running a curl request gives me the following error:
SSL certificate problem: unable to get local issuer certificate

If I run the same curl request with the --insecure option I get the proper response. What is odd to me is the root CA for my cert is GeoTrust Global CA, which is very common and included in the standard Ubuntu CA bundle.

root@1817a11c1c05:/# ls /etc/ssl/certs | grep GeoTrust GeoTrust_Global_CA.pem

I would also like to note that the cert is a wildcard cert and running the curl request from my Mac works without needing the --insecure option.

Any insight would be greatly appreciated.


The agent image is also Ubuntu, so my guess would be your cert is signed by an intermediate cert that is not being sent. And that intermediate may happens to be in browser/Mac OS stores so it still validates there, but not be present in Ubuntu 14.04. You can go to a host and try:

docker run --entrypoint openssl rancher/agent:v0.11.0 s_client -CApath /etc/ssl/certs/ -connect

Thanks for such a quick response.

Your right, looks like the issue is with rapidssl

OU = See (c)15, OU = Domain Control Validated - RapidSSL(R), CN = * verify error:num=20:unable to get local issuer certificate

I tried to install the Intermediate cert on the container, but still received the error.