Problems With Rancher Installation

Good Day,

I’ve been trying to install rancher on an HA cluster scheme.
First i tried the HA air gap install
Second i setup a proxy on the servers and tried the normal HA install

Im installing behind a L7 LB (HA-proxy and KeepAlived) that terminates ssl for me, so i didn’t installed cert-manager and used --set tls=external on the installation according to documentation.

Everything works fine and all the pods are running. No events and the logs don’t show anything special to the exception of the rancher logs saying this lines:

2019/10/30 10:25:31 [ERROR] CatalogController library [catalog] failed with : Clone failed: Cloning into ‘management-state/catalog-cache/380859f1003fe7603cddc6c15b34b7263f1f0deaa92ddcde465811d032ee7078’…
fatal: unable to access ‘https://git.rancher.io/charts/’: Failed to connect to git.rancher.io port 443: Connection timed out
2019/10/30 10:24:38 [ERROR] ClusterController local [cluster-deploy] failed with : waiting for server-url setting to be set

Those errors seem normal cause the git project doesnt exist and i still havent logged into the website to choose the site url.

When i try to go directly to the rancher ui using the node i get this:
curl http://[node].[domain] -> default backend - 404

but the healthz gives me and http 200
curl http://[node].[domain]/healthz -v -> … < HTTP/1.1 200 OK …

That is what happens when i connect directly to the ingress.
If i used the DNS of the external load balancer:
https://[FQDN] -> infinite redirects to the root (/) path

health checks:
https://[FQDN]/healthz -> error 400

I check the ingress logs and my request for /healthz goes there but doesnt seem to be forwarded to the rancher service

I’vent yet been able to see the rancher ui in any of my installations.

rancher version: 2.3.2
docker version: 18.09.9
kub version server v1.15.5: client: v1.12.9
helm version: 2.15.1

os: Redhat 7.7

is your web proxy doing ssl inspection / spoofing of any kind? The proxy’s certificate is not trusted in the Rancher containers and this will prevent git, wget and others from connecting.

I was able to solve the problem. (Or avoid it)

Rancher always redirects to SSL. I tried all the flags i could in ingress and rancher installation and the result was always the same. Rancher will redirect to SSL.

My HAProxy will terminate SSL and forward to HTTP. So i had a beautifull cycle of redirects. I just had to accept --set tls=external doesn’t work and modified my HAProxy to allow rancher to do whatever it wants.