Switch to Let's Encrypt

Ground point:

  • i have nginx host, 10.1.1.1, with public IP 1.1.1.1
  • rancher host, 10.2.2.2 with public IP 2.2.2.2
  • single node rancher install
  • rancher server_url is https://10.2.2.2
  • DNS A record control.example.com -> 1.1.1.1
  • nginx server rule, with upstream to 2.2.2.2
  • Let’s Encrypt cert installed on nginx for control.example.com
  • k8s cluster created with rancher

Setup worked fine and was in production some time.

I’ve decided to move from nginx proxy directrly to rancher. I changed DNS record for control.example.com to 2.2.2.2. Obviously, i’ve got an issue with TLS cert.
I modifyed container like this:
sudo docker run --name=new-rancher -d
–volumes-from old-rancher --restart=unless-stopped -p 80:80 -p 443:443
rancher/rancher:v2.2.8
–acme-domain control.example.com

Container had started succesfully, and in web browser i see like all works with new certs. But my k8s cluster lost connection to rancher. In UI i’ve got such message:
“This cluster is currently Unavailable; areas that interact directly with it will not be available until the API is ready”

And in docker logs new-rancher i’ve got errors:
“TLS handshake error from x.x.x.x:53090: remote error: tls: bad certificate” where x.x.x.x is ip adresses of k8s nodes.

To mitigate an issue, i restored from backup, like this.

docker run  --volumes-from new-rancher -v $PWD:/backup \
    alpine sh -c "rm /var/lib/rancher/* -rf  && \
    tar zxvf /backup/backup.tar.gz"

sudo docker run --name=restored-rancher -d --volumes-from new-rancher \
    --restart=unless-stopped -p 80:80 -p 443:443 \
    rancher/rancher:v2.2.8

In such way, i restored connection to my cluster.

And, there is a question after such a cool story.
How should i migrate Web UI from nginx proxy to rancher directly, how can i migrate to use Let’S encrypt certs in rancher without affecting attached k8s cluster?