Rancher 2.0.2 HA Install getting default backend 404

I am trying to setup Rancher:latest using the documentation provided here - https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install-external-lb/

Here is how my setup looks:

Hosts: 3 CentOS 7.5 hosts with docker version 17.03.2 installed. Firewall disabled.
host1.example.com
host2.example.com
host3.example.com

Here is my rancher-cluster.yml: based on this template - https://raw.githubusercontent.com/rancher/rancher/58e695b51096b1f404188379cea6f6a35aea9e4c/rke-templates/3-node-externalssl-recognizedca.yml

nodes:
  - address: host1.example.com # hostname or IP to access nodes
    user: rke # root user (usually 'root')
    role: [controlplane,etcd,worker] # K8s roles for node
    ssh_key_path: /Users/rancher/.ssh/id_rsa
  - address: host2.example.com
    user: rke
    role: [controlplane,etcd,worker]
    ssh_key_path: /Users/rancher/.ssh/id_rsa
  - address: host3.example.com
    user: rke
    role: [controlplane,etcd,worker]
    ssh_key_path: /Users/rancher/.ssh/id_rsa

addons: |-
  ---
  kind: Namespace
  apiVersion: v1
  metadata:
    name: cattle-system
  ---
  kind: ServiceAccount
  apiVersion: v1
  metadata:
    name: cattle-admin
    namespace: cattle-system
  ---
  kind: ClusterRoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: cattle-crb
    namespace: cattle-system
  subjects:
  - kind: ServiceAccount
    name: cattle-admin
    namespace: cattle-system
  roleRef:
    kind: ClusterRole
    name: cluster-admin
    apiGroup: rbac.authorization.k8s.io
  ---
  apiVersion: v1
  kind: Service
  metadata:
    namespace: cattle-system
    name: cattle-service
    labels:
      app: cattle
  spec:
    ports:
    - port: 80
      targetPort: 80
      protocol: TCP
      name: http
    selector:
      app: cattle
  ---
  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    namespace: cattle-system
    name: cattle-ingress-http
    annotations:
      nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"   # Max time in seconds for ws to remain shell window open
      nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"   # Max time in seconds for ws to remain shell window open
      nginx.ingress.kubernetes.io/ssl-redirect: "false"        # Disable redirect to ssl
  spec:
    rules:
    - host: rancher.example.com
      http:
        paths:
        - backend:
            serviceName: cattle-service
            servicePort: 80
  ---
  kind: Deployment
  apiVersion: extensions/v1beta1
  metadata:
    namespace: cattle-system
    name: cattle
  spec:
    replicas: 1
    template:
      metadata:
        labels:
          app: cattle
      spec:
        serviceAccountName: cattle-admin
        containers:
        - image: rancher/rancher:latest
          imagePullPolicy: Always
          name: cattle-server
          ports:
          - containerPort: 80
            protocol: TCP

I have this setup sitting behind a f5, that has a virtual pool setup for rancher.example.com with members host1.example.com:443, host2.example.com:443, host3.example.com:443. Its also using a cert signed by Recognized CA.
When I try to browse rancher.example.com, I get a return for “default backend - 404”

I also tried to skip the f5 and create a local host entry in /etc/hosts for rancher.example.com and I still get the same results. It appears that the nginx deployment is not recognizing the fqdn and going directly to the default backend page.

Note- same cert works well if I setup a single node rancher deployment without nginx ingress using rke.

I have also tried to replace the f5 with a nginx server in front of this setup using - https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install/

For nginx, I used the template - https://raw.githubusercontent.com/rancher/rancher/e9d29b3f3b9673421961c68adf0516807d1317eb/rke-templates/3-node-certificate-recognizedca.yml

In the template I provided the base64 for my cert that had the wildcard cert and the CA cert, and for key I provided the base64 for my cert.key file. When I tried to browse the URL - rancher.example.com after this, I got a HSTS error saying the cert is not valid, and I got a cert named - Kubernetes fake ingress controller certificate.

Can someone guide me in the right direction?
Thanks in advance.

+1

Did you manage to resolve this? My issue is related, but I ended up with this issue trying to change the main DNS name to access rancher.

Also nearly 10 days and no response, what does one to do to get issues looked at?

I believe I had the same issue. I was able to resolve my issue and posted my solution that worked.

Hello, a have same problem. and i resolved by adding , x-forwarded-proto: https , in http profile on F5

Hello,

We had the same problem. “default backend 404” our problem was the certificated. Check if your certificated was in base64.

See the troubleshooting chapter, there is a information about it.

https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install/

Can you please share some details about how you have this setup on your f5?

What I have today is a pool, that has my 3 rancher nodes, and service port is 0.

Then I have 2 profiles, one for http and one for https, in my https profile I have added “x-forwarded-proto: https” in the field “Request Header Insert”

I have 2 virtual servers created, one for http and one for https. In the http virtual server, I have the policy applied to redirect to https.

Not sure what I am doing wrong.

hey hey,

Just ran into this issue and overcame it, as mentioned above its 90% a cert issue when your dealing with a vanilla install.

in my case I forgot to decrypt my tls.key before base64’ing it

Thanks all, it works after have valid cert.

I have my cert from Comodo, could you explain how you decrypted your TLS key? When I base64 encode my certs, the lines are way too long to remain on the same line in the cluster.yml

TIA

openssl rsa -in key.enc -out key.dec

What editor are you using ?