Rancher 2.x HA install and SSL termination


#1

Hi,
I followed install steps including 4. Install Rancher
https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/

Choose your SSL Configuration

I choosed letsencrypt option : ingress.tls.source=letsEncrypt

My nodes are showing up and the command

$ kubectl -n cattle-system describe certificate

has the following output :

    Name:         tls-rancher-ingress
Namespace:    cattle-system
Labels:       <none>
Annotations:  <none>
API Version:  certmanager.k8s.io/v1alpha1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2018-11-28T11:33:32Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  rancher
    UID:                   6c4df1d7-f301-11e8-b80c-xxxxxxxxxx
  Resource Version:        12267
  Self Link:               /apis/certmanager.k8s.io/v1alpha1/namespaces/cattle-system/certificates/tls-rancher-ingress
  UID:                     6f4be82e-f301-11e8-b9b2-xxxxxxxxxx
Spec:
  Acme:
    Config:
      Domains:
        rancher.domain.me
      Http 01:
        Ingress:  
  Dns Names:
        rancher.domain.me
  Issuer Ref:
    Kind:       Issuer
    Name:       rancher
  Secret Name:  tls-rancher-ingress
Status:
  Acme:
    Order:
      Challenges:
        Authz URL:  https://acme-v02.api.letsencrypt.org/acme/authz/kB2WCz6sla63jnziznJLekiscuk5zNS0F0kP8EuuYic
        Domain:            rancher.domain.me
        Http 01:
          Ingress:  
        Key:        CWRNPGMVTCyN_0Lr4Jl-g0YC_zel8GJipzFOaeaArgo.zBSljLgmnxxxxxxxxxxxxxxxxxxxxxxxxxx
        Token:      CWRNPGMVTCyN_0Lr4Jl-g0Y_xxxxxxxxxxxxxxxx
        Type:       http-01
        URL:        https://acme-v02.api.letsencrypt.org/acme/challenge/kB2WCz6sla63jnziznJLekixxxxxxxxxxx
        Wildcard:   false
      URL:          https://acme-v02.api.letsencrypt.org/acme/order/46656055/195802677
  Conditions:
    Last Transition Time:  2018-11-28T12:01:21Z
    Message:               http-01 self check failed for domain "rancher.domain.me"
    Reason:                ValidateError
    Status:                False
    Type:                  Ready
Events:
  Type    Reason       Age   From          Message
  ----    ------       ----  ----          -------
  Normal  CreateOrder  27m   cert-manager  Created new ACME order, attempting validation... 

And when I try to access to the public URL chrome or firefox says the certificate is invalid.

And the nginx config I use on a separate node (with public DNS) is as per documentation :

worker_processes 4;
worker_rlimit_nofile 40000;

events {
    worker_connections 8192;
}

http {
    server {
        listen         80;
        return 301 https://$host$request_uri;
    }
}

stream {
    upstream rancher_servers {
        least_conn;
        server <IP_NODE_1>:443 max_fails=3 fail_timeout=5s;
        server  <IP_NODE_2>:443 max_fails=3 fail_timeout=5s;
        server  <IP_NODE_3>:443 max_fails=3 fail_timeout=5s;
    }
    server {
        listen     443;
        proxy_pass rancher_servers;
    }
}

Maybe on a custom cluster, it is impossible to user a TCP 4 layer load-balancer … as mentionned in
https://rancher.com/docs/rancher/v2.x/en/k8s-in-rancher/load-balancers-and-ingress/load-balancers/#support-for-layer-4-load-balancing

?


#2

I’m highly interested in this, too. Except i will not use Let’sEncrypt.


#3

I know that TCP load balancers will work because I am using an HAProxy TCP load balancer in front of my cluster and it works great. Do you get the same error if you go directly to each backend server?