rancherOS cloud-config.yml root CA

Hello,

How do I install my own root CA into rancherOS. I need the cert for both registries, and HTTPs outbound connections as we have an SSL transparent proxy.

I’m using cloud-config.yml to configure the environment. and tried several different methods.

ca-certs:
trusted: |
-----BEGIN CERTIFICATE-----
MIIGNTCCBB2gAwIBAgIJAJWkoZbtT6DeMA0GCSqGSIb3DQEBDQUAMIGwMSQwIgYD
VQQDDBtCcml0ZVdoaXRlIFJvb3Q
-----END CERTIFICATE-----

I also tried to write by Cert to /etc/ssl/certs/ and then wrote another file /opt/rancher/bin/start.sh which cats my cert to the end of /etc/ssl/certs/ca-certificates.crt and ca-certificates.crt.rancher.

But at the end of all these it doesn’t update the ca-certificates.crt file when I try to check or indeed use the cert.

I’m running out of ideas to get the root Cert installed.

I haven’t found a way to set up CA certificates for HTTPS, but you should be able to use the standard method to access a Docker registry with a private CA:

write_files:
- content: |+
    -----BEGIN CERTIFICATE-----
    [CA cert/chain here]
    -----END CERTIFICATE-----
  owner: root
  path: /etc/docker/certs.d/registry.domain.name/ca.crt
  permissions: "0644"

Repeat as necessary for each external repository.

I was able to use the /opt/rancher/bin/start.sh method successfully with RancherOS v1.1.2 this afternoon, with one caveat – during boot, a message scrolls by about an untrusted certificate. I added this to the above write_files configuration:

- content: |+
    #!/bin/sh
    cat << _EOF_ >> /etc/ssl/certs/ca-certificates.crt
    -----BEGIN CERTIFICATE-----
    [CA cert/chain here]
    -----END CERTIFICATE-----
    _EOF_
  owner: root
  path: /opt/rancher/bin/start.sh
  permissions: "0755"

It’s not pretty, but once the console is available, I’m able to run “sudo ros engine list”. This fails if I don’t add the private CA certificates that our proxy uses.

Thanks! This worked for me.

Tacked it on to the end of user_config.yml and rebooted. The KVM environment is easy to reboot, first evacuate rancher host, then virsh destroy --graceful then virsh start… Bare metal harder to reboot. VMware harder to reboot. Cloud easier to reboot but not as easy as KVM. Self-service KVM running Rancher hosts is the best environment. I guess that means colocating your own servers if you don’t have a data center, it’s still the best…

[root@rancher certs]# cat >> /var/lib/rancher/conf/cloud-config.d/user_config.yml
write_files:
- content: |+
    #!/bin/sh
    cat << _EOF_ >> /etc/ssl/certs/ca-certificates.crt
    -----BEGIN CERTIFICATE-----
    [root cert here]
    -----END CERTIFICATE-----
    _EOF_
  owner: root
  path: /opt/rancher/bin/start.sh
  permissions: "0755"

For authoring yaml you have to space in 4 and cat >> this into the end of the file. Use vi . to repeat last space in. Then paste into cat >> running in console.

This then authorizes you to use your own organization’s wildcard certs on a secondary subdomain, for Nexus repository (free docker registry), so that you don’t have to pay thousands for public certs.

You can also use Rancher load balancer to map to Nexus repo folder port numbers, so you have a name instead of having to remember port numbers for every repo.

Put the Nexus folder in HTTP mode for running behind secure proxy.

That’s all I can think of…

Hi all,
there are any news on this point?
A easily way to load custom root ca?

Thanks

hi! as far as I know my response above is The Way. It is easy… this is the complete answer for Rancher 1.x, Rancher 2 I dunno yet, kubernetes seems to require root cert in another place as well.