Rancher 2.x HA install and SSL termination

I followed install steps including 4. Install Rancher

Choose your SSL Configuration

I choosed letsencrypt option : ingress.tls.source=letsEncrypt

My nodes are showing up and the command

$ kubectl -n cattle-system describe certificate

has the following output :

    Name:         tls-rancher-ingress
Namespace:    cattle-system
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
  Creation Timestamp:  2018-11-28T11:33:32Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  rancher
    UID:                   6c4df1d7-f301-11e8-b80c-xxxxxxxxxx
  Resource Version:        12267
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/cattle-system/certificates/tls-rancher-ingress
  UID:                     6f4be82e-f301-11e8-b9b2-xxxxxxxxxx
      Http 01:
  Dns Names:
  Issuer Ref:
    Kind:       Issuer
    Name:       rancher
  Secret Name:  tls-rancher-ingress
        Authz URL:  https://acme-v02.api.letsencrypt.org/acme/authz/kB2WCz6sla63jnziznJLekiscuk5zNS0F0kP8EuuYic
        Domain:            rancher.domain.me
        Http 01:
        Key:        CWRNPGMVTCyN_0Lr4Jl-g0YC_zel8GJipzFOaeaArgo.zBSljLgmnxxxxxxxxxxxxxxxxxxxxxxxxxx
        Token:      CWRNPGMVTCyN_0Lr4Jl-g0Y_xxxxxxxxxxxxxxxx
        Type:       http-01
        URL:        https://acme-v02.api.letsencrypt.org/acme/challenge/kB2WCz6sla63jnziznJLekixxxxxxxxxxx
        Wildcard:   false
      URL:          https://acme-v02.api.letsencrypt.org/acme/order/46656055/195802677
    Last Transition Time:  2018-11-28T12:01:21Z
    Message:               http-01 self check failed for domain "rancher.domain.me"
    Reason:                ValidateError
    Status:                False
    Type:                  Ready
  Type    Reason       Age   From          Message
  ----    ------       ----  ----          -------
  Normal  CreateOrder  27m   cert-manager  Created new ACME order, attempting validation... 

And when I try to access to the public URL chrome or firefox says the certificate is invalid.

And the nginx config I use on a separate node (with public DNS) is as per documentation :

worker_processes 4;
worker_rlimit_nofile 40000;

events {
    worker_connections 8192;

http {
    server {
        listen         80;
        return 301 https://$host$request_uri;

stream {
    upstream rancher_servers {
        server <IP_NODE_1>:443 max_fails=3 fail_timeout=5s;
        server  <IP_NODE_2>:443 max_fails=3 fail_timeout=5s;
        server  <IP_NODE_3>:443 max_fails=3 fail_timeout=5s;
    server {
        listen     443;
        proxy_pass rancher_servers;

Maybe on a custom cluster, it is impossible to user a TCP 4 layer load-balancer … as mentionned in


I’m highly interested in this, too. Except i will not use Let’sEncrypt.

I know that TCP load balancers will work because I am using an HAProxy TCP load balancer in front of my cluster and it works great. Do you get the same error if you go directly to each backend server?

I’m having trouble with this as well. The ingress is running on each node, and cert-manager is running, but LetsEncrypt can’t perform the http-01 check because the TCP load balancing doesn’t seem correct. All traffic is re-directed to https:// and fails to load without a cert.

I’ve used nginx for HTTP load balancing before, but never TCP load balancing. I’m using the configuration directly from the Rancher docs https://rancher.com/docs/rancher/v2.x/en/installation/ha/create-nodes-lb/nginx/

I’m continuing to play with this, but any assistance pointing me in the right direction would be great.

Any update on this?

I’m using the same setup as above following the Rancher docs with nginx lbl, cert-manager and LetsEncrypt.
I keep getting the http-01 self check failed

1 Like

The http-01 challenge is http(not s) only, so you probably need to proxy port 80 too (at least for the challenge URL) instead of unconditionally redirecting to https.