I configured the Rancher Server with an nginx proxy terminating SSL. For the server certificate I use a self-signed CA certificate (ca.crt). The https web UI access works fine because I could install on the browser client machine my self-signed ca.crt.
How would I do this for rancher server and agent? Unfortunately my hosts run CentOS 7 and not Ubuntu. Since the certificate management is different between the two, I cannot just mount /etc/ssl/certs and /usr/share/ca-certificates into the agent or server container.
The server container also seems to need the certificate because the server tries to create the event router by connecting through the nginx proxy: time=“2015-09-25T21:36:43Z” level=error msg=“Unable to create event router” error=“Get https://XXXXXX:8765/v1: x509: certificate signed by unknown authority”
The only path I could come up with is to extract the /etc/ssl/certs and /usr/share/ca-certificates contents from the agent/server-container to the host, add my ca.crt with update-ca-certifcates and mount the modified directories at container start. Is there perhaps a less tedious and more elegent way to do this?
Pulling the regular Ubuntu container, adding the self-signed ca.crt to /usr/share/ca-certificates, appending a ca.crt line to /etc/ca-certificates.conf, running update-ca-certificates, extracting /etc/ssl/certs and /usr/share/ca-certificates from the container into tar files with ‘docker export’, expanding the tars on the host, and mounting them in the rancher server and agent container replacing the original directories seems to work.
However, unfortunately the rancher-agent needs the self-signed CA appended to /usr/local/lib/python2.7/dist-packages/requests/cacert.pem. Since this file is next to the package python code, extracting the package code to the host, and mounting it back would be very “hacky”. Nice would be if the run.sh in the agent would just read custom certs from some mounted directory and install them itself.
hey dave! i was wondering if i could get access to the ssl certs page too, this is something i need to integrate with an ssl provisioning api i have running in a container! many thanks