Self-signed root certificate (ca.crt) for rancher-agent and server?

Hi!

How can I install a self-signed CA certificate for the rancher-agent and rancher-server?

Rancher Server: v0.39.0, Cattle: v0.95.0
Rancher Agent: v0.8.2

I configured the Rancher Server with an nginx proxy terminating SSL. For the server certificate I use a self-signed CA certificate (ca.crt). The https web UI access works fine because I could install on the browser client machine my self-signed ca.crt.

How would I do this for rancher server and agent? Unfortunately my hosts run CentOS 7 and not Ubuntu. Since the certificate management is different between the two, I cannot just mount /etc/ssl/certs and /usr/share/ca-certificates into the agent or server container.

The server container also seems to need the certificate because the server tries to create the event router by connecting through the nginx proxy: time=“2015-09-25T21:36:43Z” level=error msg=“Unable to create event router” error=“Get https://XXXXXX:8765/v1: x509: certificate signed by unknown authority”

The only path I could come up with is to extract the /etc/ssl/certs and /usr/share/ca-certificates contents from the agent/server-container to the host, add my ca.crt with update-ca-certifcates and mount the modified directories at container start. Is there perhaps a less tedious and more elegent way to do this?

Thanks,
Martin

Pulling the regular Ubuntu container, adding the self-signed ca.crt to /usr/share/ca-certificates, appending a ca.crt line to /etc/ca-certificates.conf, running update-ca-certificates, extracting /etc/ssl/certs and /usr/share/ca-certificates from the container into tar files with ‘docker export’, expanding the tars on the host, and mounting them in the rancher server and agent container replacing the original directories seems to work.

However, unfortunately the rancher-agent needs the self-signed CA appended to /usr/local/lib/python2.7/dist-packages/requests/cacert.pem. Since this file is next to the package python code, extracting the package code to the host, and mounting it back would be very “hacky”. Nice would be if the run.sh in the agent would just read custom certs from some mounted directory and install them itself.

See also this related topic: http://forums.rancher.com/t/custom-ssl-certificates/422

I cannot access the link because of permissions.

Doh. Perhaps @denise or someone else from rancher can move that topic to the Rancher category…

I’ve moved the link to the Rancher category. @HappyUser, you should be able to click on it.

Still getting a “Sorry, you don’t have access to that topic!” for the link http://forums.rancher.com/t/custom-ssl-certificates/422 Anything specific I have to do?

@HappyUser, I just granted you access to the Beta Lounge so if you refresh your forums screen, you should be able to see this topic.

@denise @RancherDave - please can you also grant me the same access? I also cannot view that topic. Thanks!

@smaccona: There is no solution yet. See related topic on https://github.com/rancher/rancher/issues/1853

@HappyUser We have solved this (in our environment at least) with custom builds for server/agent/network agent. I detailed how we did it at https://github.com/rancher/rancher/issues/2237#issuecomment-149386553 which may be useful to you. I have added a link to that response to the other issue at https://github.com/rancher/rancher/issues/1853 as well.

1 Like

hey dave! i was wondering if i could get access to the ssl certs page too, this is something i need to integrate with an ssl provisioning api i have running in a container! many thanks

@joeblackwaslike, the link from @smaccona is better (as it details all the steps to take to actually get it to a working state).