Using Rancher SingleNode Container Install with LetsEncrypt and Single Node Kubernetes Cluster on Same Server

Hello together,
like the topic already mentioned, I am currently trying to setup a single node Rancher container with letsencrypt enabled on the same server where I would like to run a cluster on. I already mapped the rancher containers https 8443:443. Unfortunately, I am still not able to get the ingress controller in my kubernetes install on that server up and running. The ingress complains that port 80 is already used.
I assume, that this is because rancher requires port 80 for letsencrypt registration?
So my question is how could I use both together?

So in case it is not possible to have both at a time, it would be sufficient for me to install Rancher with a custom certificate and than map port 80 to a differnt port as well. In that case I would still like to setup letsencrypt for my cluster on this server.
What is not clear to me is, how the certificate handling is currently working in rancher and if rancher needs port 80 mapped to port 80 in case letsencrypt is not used?
Regarding certificates: If I start the rancher container say with ui at rancher.example.com, is the letsencrypt certificate than used for signing of all cluster certificates as well or is it just valid for the subdomain of the ui i.e. rancher.example.com?
I am asking this because I am not sure if it is be possible to use the letsencrypt container from the rancher catalog within the cluster to obtain certificates for signing within the cluster and simply run the rancher server with a custom unsigned certificate.
Thanks for your help.
Best regards,
Christoph

1 Like

Hi @cjohn001,

What is your setup underneath the rancher docker ?
The autorenew of rancher certificates within rancher is working quite well.
You might need to run your rancher docker in custom port like 8080&4443 to let your ingress use 80&443. What kind of Ingress do you wish to use ?

@zwordi,
thanks for your time. The setup is given with a virtual root server from netcup. On top of it I have installed the latest RancherOS. As mentioned I like to run Rancher Server and the Kubernetes cluster on a single root server. When I start the Rancher Server via

docker run -d --restart=unless-stopped \
  -p 80:80 -p 8443:443 \
  rancher/rancher:latest \
  --acme-domain <YOUR.DNS.NAME>

The certificate renewal with letsencrypt works fine. But when setting up the kubernetes cluster, the ingress fails due to port 80 already in use. The documentation says under prerequisites for using letsencrypt

" Open port TCP/80 on your Linux host. The Let’s Encrypt http-01 challenge can come from any source IP address, so port TCP/80 must be open to all IP addresses.“”

Therefore I have not tried to map port 80 to a different port yet. So I expect that the http-01 challenge requires this port.

Can you help me to understand how the certificates handling is managed in Rancher? What is not clear to me is why I on the one hand can get the certificates via the Rancher Server who handles letsencrypt, and why on the other hand there is a letsencrypt chart in the rancher catalog as well. So if the one is for the server and the other option for the cluster this would make somehow sense to me. But when the Rancher Server handles certificates for the clusters than I do not understand for what the chart is good for. Can you explain how the ingress obtains the certificates?

What kind of Ingress do you wish to use ?
I am speaking about the default ingress controller which is installed in the System namespace if one sets up a default cluster via Custom Option in Rancher. It is a nginx.

1 Like

Yes you can’t do both together (with one public IP) because they both need port 80.

They are two separate things because the management server and the clusters you create with it are unrelated as far as this is concerned. You have one server but typically multiple clusters.

If you want to combine them you can follow the HA instructions (but add --set replicas=1), which creates a cluster and then installs rancher as a deployment inside it and a single uses ingress/cert-manager/port to get traffic in to the management server and user services.

2 Likes

hello vincent thanks a lot.

@cjohn001, i agree with @vincent if you have only one public ip maybe could you try the dns-challenge rather than the http challenge. It may help you on your tasks.

@vincent I’ve run into this same issue and was wondering, would parameterizing the “http-listen-port” in the entrypoint script make this possible, so that the container port match can match the host port on something other than port 80?https://github.com/rancher/rancher/blob/f5efdf62a9b941c847ac77e7b00bdb6de29fcf28/package/entrypoint.sh#L4
If so, I could make a PR for it.

If you don’t care about server letsencrypt, just run the server on an alternate port and forget about 80. docker run -p 444:443 ... rancher/rancher

If you do, you… can’t. You have two separate things (rancher and nginx-ingress containers) which both want 80 and 443. Both can’t have it (on one IP).

You can run the rancher server container on different ports and keep 80/443 free for nginx and that works fine, but then you cannot use the letsencrypt support in the server container.

What you’re looking at is the inside of the container, you don’t need to edit and could just do -p 81:80 if you want it to not use public port 80. But this doesn’t help anything, you might a well just not publish container port 80 at all because the letsencrypt challenge requires exactly port 80 (for good reason). The only other user for it is redirecting to https, and nobody is going to seek out the wrong port to find the ssl one.

@vincent Thanks for confirming. I assumed that the letsencrypt acme challenge could be reconfigured to use an arbitrary port instead of port 80, and that the problem was due to the mismatch between the container’s internally assumed http port and the externally exposed port (which it has no way of knowing when we just use docker port mappings), but I guess this is not the case.

@vincent I just tried installing rancher HA to workaround this issue. However, it appears that the rancher helm chart does not support specifying an ingress path? https://github.com/rancher/rancher/blob/bce4539c68a8fab987d6bf46e8502fffd214fd47/chart/templates/ingress.yaml#L30
I tried forcefully changing the ingress path but then the rancher app doesn’t seem to be able to resolve its files, even with a path rewrite.

This means that even with an HA setup, it’s not possible to run a custom app in the root path and run rancher on a custom path (say https:///rancher) for example and thus have letsencrypt work for both?

You don’t need to, and really shouldn’t, have rancher as the same domain name as your application(s). Use a separate (sub-)domain.

Thanks for the suggestion - that should work.

I tried this, but wasn’t able to get cert-manager and letsencrypt working.

Do you have a deployment script that installs a Rancher HA with letsencrypt using cert-manager?

I’ve been documenting this over on github, https://github.com/rancher/rancher/issues/25827

With no luck so far. I don’t understand cert-manager yet, and it hasn’t been a straightforward install of it