Rancher 2.x HA install and SSL termination

Rancher
1

Hi,
I followed install steps including 4. Install Rancher
https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/

Choose your SSL Configuration

I choosed letsencrypt option : ingress.tls.source=letsEncrypt

My nodes are showing up and the command

$ kubectl -n cattle-system describe certificate

has the following output :

    Name:         tls-rancher-ingress
Namespace:    cattle-system
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2018-11-28T11:33:32Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  rancher
    UID:                   6c4df1d7-f301-11e8-b80c-xxxxxxxxxx
  Resource Version:        12267
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/cattle-system/certificates/tls-rancher-ingress
  UID:                     6f4be82e-f301-11e8-b9b2-xxxxxxxxxx
Spec:
  Acme:
    Config:
      Domains:
        rancher.domain.me
      Http 01:
        Ingress:  
  Dns Names:
        rancher.domain.me
  Issuer Ref:
    Kind:       Issuer
    Name:       rancher
  Secret Name:  tls-rancher-ingress
Status:
  Acme:
    Order:
      Challenges:
        Authz URL:  https://acme-v02.api.letsencrypt.org/acme/authz/kB2WCz6sla63jnziznJLekiscuk5zNS0F0kP8EuuYic
        Domain:            rancher.domain.me
        Http 01:
          Ingress:  
        Key:        CWRNPGMVTCyN_0Lr4Jl-g0YC_zel8GJipzFOaeaArgo.zBSljLgmnxxxxxxxxxxxxxxxxxxxxxxxxxx
        Token:      CWRNPGMVTCyN_0Lr4Jl-g0Y_xxxxxxxxxxxxxxxx
        Type:       http-01
        URL:        https://acme-v02.api.letsencrypt.org/acme/challenge/kB2WCz6sla63jnziznJLekixxxxxxxxxxx
        Wildcard:   false
      URL:          https://acme-v02.api.letsencrypt.org/acme/order/46656055/195802677
  Conditions:
    Last Transition Time:  2018-11-28T12:01:21Z
    Message:               http-01 self check failed for domain "rancher.domain.me"
    Reason:                ValidateError
    Status:                False
    Type:                  Ready
Events:
  Type    Reason       Age   From          Message
  ----    ------       ----  ----          -------
  Normal  CreateOrder  27m   cert-manager  Created new ACME order, attempting validation...

And when I try to access to the public URL chrome or firefox says the certificate is invalid.

And the nginx config I use on a separate node (with public DNS) is as per documentation :

worker_processes 4;
worker_rlimit_nofile 40000;

events {
    worker_connections 8192;
}

http {
    server {
        listen         80;
        return 301 https://$host$request_uri;
    }
}

stream {
    upstream rancher_servers {
        least_conn;
        server <IP_NODE_1>:443 max_fails=3 fail_timeout=5s;
        server  <IP_NODE_2>:443 max_fails=3 fail_timeout=5s;
        server  <IP_NODE_3>:443 max_fails=3 fail_timeout=5s;
    }
    server {
        listen     443;
        proxy_pass rancher_servers;
    }
}

Maybe on a custom cluster, it is impossible to user a TCP 4 layer load-balancer … as mentionned in
https://rancher.com/docs/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#support-for-layer-4-load-balancing

?

2

I’m highly interested in this, too. Except i will not use Let’sEncrypt.

3

I know that TCP load balancers will work because I am using an HAProxy TCP load balancer in front of my cluster and it works great. Do you get the same error if you go directly to each backend server?

4

I’m having trouble with this as well. The ingress is running on each node, and cert-manager is running, but LetsEncrypt can’t perform the http-01 check because the TCP load balancing doesn’t seem correct. All traffic is re-directed to https:// and fails to load without a cert.

I’ve used nginx for HTTP load balancing before, but never TCP load balancing. I’m using the configuration directly from the Rancher docs https://rancher.com/docs/rancher/v2.x/en/installation/ha/create-nodes-lb/nginx/

I’m continuing to play with this, but any assistance pointing me in the right direction would be great.

5

Any update on this?

I’m using the same setup as above following the Rancher docs with nginx lbl, cert-manager and LetsEncrypt.
I keep getting the http-01 self check failed

1 Like
6

The http-01 challenge is http(not s) only, so you probably need to proxy port 80 too (at least for the challenge URL) instead of unconditionally redirecting to https.