How to upgrade Rancher agents to use SSL?

Rancher 1.x
1

Hi all,

I have an existing Rancher Server with a number of Rancher Agents running on custom hosts. I’d like to upgrade my Rancher cluster to use SSL.

I’ve installed an NGINX container which uses SSL and which sits in front of the Rancher Server, which I created per Installing Rancher Server With SSL. I can reach my Rancher Server over SSL from my Workstation and using curl from a Docker host.

My questions:

  • How do I re-register my Rancher Agents with the new https:// URL? Should I be able to re-run the command via Infrastructure > Hosts > Add Host? Do I delete the old agents and start up a new agent?
  • Do I need to include the CA cert? How would I do that?
  • How can I tell that an Agent is now connected to the Rancher Server via https?

I ask, because simply re-running the new host registration command using the new https:// URL isn’t working.

-= Stefan

2

is this a self signed certificate? Assuming public certificate all you’ll need to do is run that new add host command. No need to kill the old agents.

If youre using self-signed certificates follow the instructions to add the ca cert to your hosts: http://docs.rancher.com/rancher/v1.3/en/installing-rancher/installing-server/basic-ssl-config/#using-self-signed-certs-beta

3

This is a public certificate, but it’s from GoDaddy and some systems sometimes need an intermediate CA Cert to be provided.

When I try to run the new Docker command, it fails with a vague error. Any idea what this means?

[root@docker01 ~]# docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.1.2 https://rancher.example.org/v1/scripts/123:456:ABCD
123456ABCEDFG
[root@docker01 ~]# docker ps -a |grep rancher/agent
9309284fe5b6        rancher/agent:v1.1.2                    "/run.sh https://ranch"   8 seconds ago       Exited (1) 1 seconds ago      
[root@docker01 ~]# docker logs 9309284fe5b6
Updating certificates in /etc/ssl/certs...
WARNING: rancherAddedCA.pem does not contain a certificate or CRL: skipping
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

INFO: Running Agent Registration Process, CATTLE_URL=https://rancher.example.org/v1
INFO: Attempting to connect to: https://rancher.example.org/v1
INFO: https://rancher.example.org/v1 is accessible
Traceback (most recent call last):
  File "./resolve_url.py", line 9, in <module>
    r = requests.get(url)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: unknown error (_ssl.c:2831)
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information

ERROR: returned
ERROR: --- START ---
ERROR: --- END ---
ERROR: Failed to load registration env from CATTLE_URL=https://rancher.example.org/v1 ENV_URL=
ERROR: Please ensure the proper value for the Host Registration URL is set
[root@docker01 ~]#
4

I have same issue, and lots of people have issues when running rancher behind https :

Lots of potential solutions, I did not have enough time to try them all, I am still blocked.