Background:
I have successfully used the rancher and rancher-compose cli with a rancher server container that has no ssl and no authentication (although rancher-compose still required key).
As the above configuration is not secure for production, then tried same steps against an ssl authentication required rancher server in a container. I am unable to find any way to make this work.
After setting all the environment variables with appropriate key, secret, url, a cert error is received when attempting rancher ps: FATA[0000] Get https://:8080/v2-beta: x509: certificate is valid for localhost, , 127.0.0.1, not where is our fully qualified host name registered in DNS and is one of our internal static ips assigned to the server and is routable.
Next attempt, update the environment variable url to use the …message “says” it is valid for that cert. However it just once again provides the same error but now says the is not valid for that cert.
Third attempt, set up ssh tunnel from client to server. Set environment variable url to point to localhost:8080 (tunnel maps the local port 8080 to the externalized port of rancher server container). This results in error: FATA[0001] Get https://localhost:8080/v2-beta: x509: certificate signed by unknown authority
Finally copy cert you get when logging into rancher server ui from web browser. Place into /usr/local/share/ca-certificates and run sudo update-ca-certificates and retry the rancher ps with no affect, same error (client containing the rancher and rancher-compose cli is an ubuntu image 14.04.5).
Tried the instructions here http://rancher.com/docs/rancher/v1.6/en/installing-rancher/installing-server/basic-ssl-config/ but then realized we’re using production code for rancher 1.6.10 and not development version. Rancher server is installed on server where Docker is 1.12.6 on Ubuntu 16.04.2.
Unable to find any documentation to resolve this problem. The only thought left is to install a proxy frontend to the rancher server container that handles the cert and ssl and leave rancher not using ssl. This seems like a kludge and unnecessary extra configuration, setup, and waste of resources. What am I missing?