Re-registering rancher-agent with HTTPS?

Hello all,

I’m upgrading our Rancher Server to use TLS/SSL, and will eventually have a HA Proxy with SSL Termination.

Our old command to register custom hosts used http:

docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.1.0 http://node1.example.org:8080/v1/scripts/abcdef:12345

I’m trying to convert this to use TLS/SSL and https://

docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.1.0 https://node1.example.org/v1/scripts/abcdef:12345

But I need to mount the TLS certificates, and possibly the CA cert. How can I do this from the agent?

Without the Certs, the Rancher Agent fails to connect to the https url. The logs say:

INFO: Running Agent Registration Process, CATTLE_URL=https://node1.example.org/v1
INFO: Attempting to connect to: https://node1.example.org/v1
ERROR: https://node1.example.org/v1 is not accessible
ERROR: https://node1.example.org/v1 is not accessible
ERROR: https://node1.example.org/v1 is not accessible

Any progress on this issue? I have the same problem.

Is this what you’re looking for?
http://rancher.com/docs/rancher/v1.6/en/installing-rancher/installing-server/basic-ssl-config/#using-self-signed-certs-beta

Adding my CA Cert to /var/lib/rancher/etc/ssl/ca.crt did work. In fact, I used this just last week.

The documentation says “Self signed certificates”, and these are actually not self-signed certs but are certs from GoDaddy, and should be included in the CA certificate store on most major OSes.

In December, I had actually loaded the CA into the container through a different path under /etc/ssl and it worked. However, I forget the details.

GoDaddy’s root, but not intermediates (GD or sf_bundle…), are in typical distro ca-certificates. Needing to put it in the agent suggests your ssl termination device is not offering it up like it should be.