currently I am struggeling with my Rancher setup. I am running a 3 node HA setup using Helm 2 (for Gitlab Integration support). The cluster is behind a L7 Loadbalancer which manages SSL.
After this I was going to the Rancher Shell and tried to curl https://charts.gitlab.io
The result:
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I was also checking if the CA structure is correct which is the case. So it should be running.
I am behind a private CA which replaces all certs with a selfsigned cert.
Am I missing something?
Thank you.
Minor Update: /v3/settings/cacerts returns me all CA Certificates
Also I dont don’t get those errors on my servers itself because I already added the certificates.
The configuration setting is for accessing Rancher (making sure correct CA and cert is configured), and Rancher can be accessed. The curl https://charts.gitlab.io in the shell is an outgoing connection, if that returns invalid, there is something in between tampering with the connection. Using curl -vk https://charts.gitlab.io will show you the certificate information presented which should lead you to a root cause.
If you have any proxy configuration, please share that too as it helps investigate issues.
Ok, that makes sense. The certificate is configured in Rancher, so Rancher will have no problem reaching the catalog. The procedure you are showing is from GitLab, and they have this described in the docs regarding the use of a proxy: https://docs.gitlab.com/ee/topics/autodevops/#installing-helm-behind-a-proxy
If you are using helm locally to install the runner, you should configure the local environment with a proxy so Helm can use that.
Hey now I tried to install the runner directly from the catalog. Now I am running into:
Registration attempt 13 of 30
Runtime platform arch=amd64 os=linux pid=302 revision=003fe500 version=12.7.1
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
ERROR: Registering runner... failed runner=dnxi4dXg status=couldn't execute POST against https://ti-git.mah.roche.com/api/v4/runners: Post https://[redacted].com/api/v4/runners: x509: certificate signed by unknown authority
PANIC: Failed to register this runner. Perhaps you are having network problems
For my understanding:
Am I correct in my assumption that the ca-additional.pem file does not affect other pods? It’s only relevant for the Rancher system itself.
If Rancher’s own certificates are wrongly configured, the agent won’t connect and log that. If there is a proxy in between here, there is another issue that will be fixed in the upcoming release (https://github.com/rancher/rancher/issues/24876)
If Rancher itself needs to connect to some external service, it will use ca-additional.pem to validate the certificate chain (the external service still needs to provide all the certificates needed up, that is the server certificate obviously and any intermediates). This will not be propagated or injected into any cluster resource (not the Rancher HA cluster or any managed cluster), this is where the both GitLab docs come in with options to make sure the connection can be made successfully. (I see that my link only provides an option to provide a proxy, not a certificate to validate the connection. Your link seems to show a method to provide a certificate which will then be used in the connection)