[Question] internal network and adding new cluster nodes.

[Mikuz]

Hello there,

I'm running CapRover at my company's internal network, and I'm lovin it.
I need now to add second node to cluster, and got into some problems:

1. "Cannot add more nodes as no default push registry is set. To add more nodes and create a cluster, you first need to add a docker registry and set it as the default push registry." - Ok this is clear, move on, lets make registry.
2. When I want to add caprovers self-hosted docker registry I get: "1108 : Root must have SSL before enabling ssl for docker registry." - Ok, lets get certs
3. Using "Enable HTTPS" from dashboard (Let's Encrypt) returns error:

1107 : Unexpected output when enabling SSL forcaptain.cld1.XXXCOMPANYXXX.pl with ACME Certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for captain.cld1.XXXCOMPANYXXX.pl Using the webroot path /captain-webroot/captain.cld1.XXXCOMPANYXXX.pl for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. captain.cld1.XXXCOMPANYXXX.pl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://captain.cld1.XXXCOMPANYXXX.pl/.well-known/acme-challenge/qHG9Co6_yjKOA5DVZ9kVSs2b2FBWCRS5wlfTFcZl5IE [94.152.49.65]: "\n\n<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-2">\n<TITLE>\n(none)\n</TITLE>\n\n<BODY BGC" �[1m IMPORTANT NOTES: �[0m - The following errors were reported by the server: Domain: captain.cld1.XXXCOMPANYXXX.pl Type: unauthorized Detail: Invalid response from http://captain.cld1.XXXCOMPANYXXX.pl/.well-known/acme-challenge/qHG9Co6_yjKOA5DVZ9kVSs2b2FBWCRS5wlfTFcZl5IE [94.152.49.65]: "\n\n<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-2">\n<TITLE>\n(none)\n</TITLE>\n\n<BODY BGC" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

If I understand this correctly, It fails to get certs because my deployment is on internal network and it cannot challenge my caprover instance.

So what should I do to add node to this cluster? Deploy for moment my instance into internet to get challenged by Let's Encrypt and get certs? Or maybe more manual solution like ##775 (comment) ##265 ?

Data:
Type: Leader (Main Node) IP: 127.0.0.1
State: ready Status: active
RAM: 3.82 GB OS: linux
CPU: 2 cores Architecture: x86_64
Hostname: XXX Docker Version: 19.03.8

[githubsaturn]

If I understand correctly, your instance cannot be accessed from outside. Right? In that case, short answer is "CapRover doesn't work with cluster option without valid SSL". Here is why:

• To work with cluster, when the image is built on the main node, other nodes need the same image as well.
• To make the image available to all nodes, you need a docker registry
• Docker registry by default works only with valid SSL certificates. In theory, you can create a self signed certificate and make it a trusted certificated, but this is not easy and requires lots of manual work.

To create a cluster, you need to get a public IP for the server and port forward CapRover related ports to your server.

[golyalpha]

Hey, @Mikuz, I guess it's been a while, and you guys have already figured out how to fix your problem, but just in case:

Since you said you're on a corporate network, I'm going to assume that you (either directly, or through someone else) have some way of issuing internal-use certificates for internal server and employees (mutual TLS, cert-based login..., the advantages are really too many to list IMO). If you don't, FreeIPA has you covered.

Either way, what you would have to do, is to issue an internal certificate for your registry (unless you want to expose it to the internet and get a global certificate for it), and then get the internal CA certificate, and add it to the Docker nodes certificate trust lists.

The reason you want to add the CA certificate to the trust lists, and not the certificate for your registry is, so you can change out the registry certificate as needed, without having to manually update the trust lists of all the Docker nodes you might have add the time.