Hi,
I followed install steps including 4. Install Rancher
https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/
Choose your SSL Configuration
I choosed letsencrypt option : ingress.tls.source=letsEncrypt
My nodes are showing up and the command
$ kubectl -n cattle-system describe certificate
has the following output :
Name: tls-rancher-ingress
Namespace: cattle-system
Labels: <none>
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2018-11-28T11:33:32Z
Generation: 1
Owner References:
API Version: extensions/v1beta1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: rancher
UID: 6c4df1d7-f301-11e8-b80c-xxxxxxxxxx
Resource Version: 12267
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/cattle-system/certificates/tls-rancher-ingress
UID: 6f4be82e-f301-11e8-b9b2-xxxxxxxxxx
Spec:
Acme:
Config:
Domains:
rancher.domain.me
Http 01:
Ingress:
Dns Names:
rancher.domain.me
Issuer Ref:
Kind: Issuer
Name: rancher
Secret Name: tls-rancher-ingress
Status:
Acme:
Order:
Challenges:
Authz URL: https://acme-v02.api.letsencrypt.org/acme/authz/kB2WCz6sla63jnziznJLekiscuk5zNS0F0kP8EuuYic
Domain: rancher.domain.me
Http 01:
Ingress:
Key: CWRNPGMVTCyN_0Lr4Jl-g0YC_zel8GJipzFOaeaArgo.zBSljLgmnxxxxxxxxxxxxxxxxxxxxxxxxxx
Token: CWRNPGMVTCyN_0Lr4Jl-g0Y_xxxxxxxxxxxxxxxx
Type: http-01
URL: https://acme-v02.api.letsencrypt.org/acme/challenge/kB2WCz6sla63jnziznJLekixxxxxxxxxxx
Wildcard: false
URL: https://acme-v02.api.letsencrypt.org/acme/order/46656055/195802677
Conditions:
Last Transition Time: 2018-11-28T12:01:21Z
Message: http-01 self check failed for domain "rancher.domain.me"
Reason: ValidateError
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateOrder 27m cert-manager Created new ACME order, attempting validation...
And when I try to access to the public URL chrome or firefox says the certificate is invalid.
And the nginx config I use on a separate node (with public DNS) is as per documentation :
worker_processes 4;
worker_rlimit_nofile 40000;
events {
worker_connections 8192;
}
http {
server {
listen 80;
return 301 https://$host$request_uri;
}
}
stream {
upstream rancher_servers {
least_conn;
server <IP_NODE_1>:443 max_fails=3 fail_timeout=5s;
server <IP_NODE_2>:443 max_fails=3 fail_timeout=5s;
server <IP_NODE_3>:443 max_fails=3 fail_timeout=5s;
}
server {
listen 443;
proxy_pass rancher_servers;
}
}
Maybe on a custom cluster, it is impossible to user a TCP 4 layer load-balancer … as mentionned in
https://rancher.com/docs/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#support-for-layer-4-load-balancing
?