How do I install my own root CA into rancherOS. I need the cert for both registries, and HTTPs outbound connections as we have an SSL transparent proxy.
I’m using cloud-config.yml to configure the environment. and tried several different methods.
I also tried to write by Cert to /etc/ssl/certs/ and then wrote another file /opt/rancher/bin/start.sh which cats my cert to the end of /etc/ssl/certs/ca-certificates.crt and ca-certificates.crt.rancher.
But at the end of all these it doesn’t update the ca-certificates.crt file when I try to check or indeed use the cert.
I’m running out of ideas to get the root Cert installed.
I haven’t found a way to set up CA certificates for HTTPS, but you should be able to use the standard method to access a Docker registry with a private CA:
I was able to use the /opt/rancher/bin/start.sh method successfully with RancherOS v1.1.2 this afternoon, with one caveat – during boot, a message scrolls by about an untrusted certificate. I added this to the above write_files configuration:
It’s not pretty, but once the console is available, I’m able to run “sudo ros engine list”. This fails if I don’t add the private CA certificates that our proxy uses.
Tacked it on to the end of user_config.yml and rebooted. The KVM environment is easy to reboot, first evacuate rancher host, then virsh destroy --graceful then virsh start… Bare metal harder to reboot. VMware harder to reboot. Cloud easier to reboot but not as easy as KVM. Self-service KVM running Rancher hosts is the best environment. I guess that means colocating your own servers if you don’t have a data center, it’s still the best…
For authoring yaml you have to space in 4 and cat >> this into the end of the file. Use vi . to repeat last space in. Then paste into cat >> running in console.
This then authorizes you to use your own organization’s wildcard certs on a secondary subdomain, for Nexus repository (free docker registry), so that you don’t have to pay thousands for public certs.
You can also use Rancher load balancer to map to Nexus repo folder port numbers, so you have a name instead of having to remember port numbers for every repo.
Put the Nexus folder in HTTP mode for running behind secure proxy.
hi! as far as I know my response above is The Way. It is easy… this is the complete answer for Rancher 1.x, Rancher 2 I dunno yet, kubernetes seems to require root cert in another place as well.
To install your own root CA into RancherOS, you will need to follow these steps:
Create a file containing your root CA certificate in PEM format. You can obtain this certificate from a trusted third-party or create your own self-signed certificate.
Copy the certificate file to your RancherOS machine. You can use SCP or any other file transfer tool to copy the file to the machine.
SSH into the RancherOS machine.
Navigate to the /var/lib/rancher/conf directory.
Create a new directory called ssl.
Copy the certificate file into the ssl directory.
Create a new file called update-ca-certificates in the /var/lib/rancher/conf directory.
Add the following lines to the update-ca-certificates file: