New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rancher Client does not read self signed certs #6122

Closed
warroyo opened this Issue Oct 4, 2016 · 7 comments

Comments

Projects
None yet
10 participants
@warroyo

warroyo commented Oct 4, 2016

Rancher Version:

agent: 1.0.2
server: 1.1.4

Docker Version:
1.11

OS and where are the hosts located? (cloud, bare metal, etc):
centos7

Setup Details: (single node rancher vs. HA rancher, internal DB vs. external DB)
HA cluster with 3 nodes

Environment Type: (Cattle/Kubernetes/Swarm/Mesos)
Kubernetes

I am seeing an issue when using a self signed cert and trying to provision a kubernetes environment. When starting the Kubernetes services the ingress_controller is failing with level=fatal msg="Failed to create Rancher client Get https://myrancher.com/v1: x509: certificate signed by unknown authority"

i have configured the agent's /var/lib/rancher/etc/ssl/ca.crt to have the correct cert to trust. I am only seeing this issue when the ingress controller is trying to start up.

is there a way for it to be trusted?

@wlan0

This comment has been minimized.

Contributor

wlan0 commented Nov 29, 2016

@warroyo thanks for reporting this issue.

Unfortunately, this issue is the symptom of a bigger issue. Our rancher api client library rancher/go-rancher does not read self-signed certs. The ingress-controller uses this library to talk to the server. We'll be using this github issue to track progress on self-signed cert support for rancher api client, and subsequently all of the microservices (including ingress-controller) that use it.

@wlan0 wlan0 changed the title from Kubernetes Self signed cert to Rancher Client does not read self signed certs Nov 29, 2016

@cjellick

This comment has been minimized.

Member

cjellick commented Nov 29, 2016

As @wlan0 stated, this affects all our microservices that communicate with the rancher API. The rancher-agent should work because we have logic in run.sh, but I haven't explicitly confirmed this.

To fix, we'd need to develop a generic routine for inject the self-signed certs into the containers and then to configure them as part of the OS store.

@wlan0

This comment has been minimized.

Contributor

wlan0 commented Nov 29, 2016

@cjellick, do we need to configure it as a part of the OS store? Doesn't that make it less secure?

We could just read the certs from go-rancher using this - https://gist.github.com/michaljemala/d6f4e01c4834bf47a9c4#file-tls-client-go-L37

Doesn't kubernetes work in a similar way?

@cjellick

This comment has been minimized.

Member

cjellick commented Nov 29, 2016

Yep, that looks like it'll work. Didn't really put much thought into details of the solution. Thanks

@alena1108

This comment has been minimized.

Member

alena1108 commented Dec 15, 2016

@StrongMonkey

As @wlan0 stated, this affects all our microservices that communicate with the rancher API. The rancher-agent should work because we have logic in run.sh, but I haven't explicitly confirmed this.

Could you double check if our rancher-agent works with self signed cert?

@deniseschannon

This comment has been minimized.

Member

deniseschannon commented Dec 29, 2016

All infra services were updated in the v1.3.0-rc2 branch with updated images for this issue.

@sangeethah

This comment has been minimized.

Member

sangeethah commented Dec 30, 2016

Tested with rancher-server version - v1.3.0-rc2 using self signed certs.

rancher-server is started with the following command - sudo docker run -d --restart=unless-stopped --name=rancher-server -v <cert>:/var/lib/rancher/etc/ssl/ca.crt rancher/server:v1.3.0-rc2

It is hosted behind nginx server that acts as a reverse proxy.

On the host , certs have to be copied to /var/lib/rancher/etc/ssl/ca.crt before running the host registration url which will already include -v /var/lib/rancher:/var/lib/rancher

Able to add hosts successfully to "cattle" environment.
Able to get all the infrastructure stacks to start successfully.

Able to add services with health check enabled and they get to "healthy" state.

@sangeethah sangeethah closed this Dec 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment