How to upgrade Rancher agents to use SSL? - Rancher 1.x

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

从容的柚子 · 5 Python Libraries ...· 2 月前 ·

文质彬彬的蟠桃 · Roast My ...· 3 月前 ·

爱看书的小狗 · 单抗药物检测_北京荣志海达生物科技有限公司· 5 月前 ·

果断的风衣 · 爆议！宁波家长痛斥蛟川书院歧视普通孩子，拿普 ...· 6 月前 ·

慷慨大方的镜子 · 第15话 - 当个妖孽这么难 - 包子漫画· 1 年前 ·

Hi all,

I have an existing Rancher Server with a number of Rancher Agents running on custom hosts. I’d like to upgrade my Rancher cluster to use SSL.

I’ve installed an NGINX container which uses SSL and which sits in front of the Rancher Server, which I created per Installing Rancher Server With SSL . I can reach my Rancher Server over SSL from my Workstation and using curl from a Docker host.

My questions:

How do I re-register my Rancher Agents with the new https:// URL? Should I be able to re-run the command via


    Infrastructure > Hosts > Add Host

? Do I delete the old agents and start up a new agent?

Do I need to include the CA cert? How would I do that?

How can I tell that an Agent is now connected to the Rancher Server via https?

I ask, because simply re-running the new host registration command using the new https:// URL isn’t working.

-= Stefan

is this a self signed certificate? Assuming public certificate all you’ll need to do is run that new add host command. No need to kill the old agents.

If youre using self-signed certificates follow the instructions to add the ca cert to your hosts: http://docs.rancher.com/rancher/v1.3/en/installing-rancher/installing-server/basic-ssl-config/#using-self-signed-certs-beta

This is a public certificate, but it’s from GoDaddy and some systems sometimes need an intermediate CA Cert to be provided.

When I try to run the new Docker command, it fails with a vague error. Any idea what this means?

[root@docker01 ~]# docker run -d --privileged -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/rancher:/var/lib/rancher rancher/agent:v1.1.2 https://rancher.example.org/v1/scripts/123:456:ABCD
123456ABCEDFG
[root@docker01 ~]# docker ps -a |grep rancher/agent
9309284fe5b6        rancher/agent:v1.1.2                    "/run.sh https://ranch"   8 seconds ago       Exited (1) 1 seconds ago      
[root@docker01 ~]# docker logs 9309284fe5b6
Updating certificates in /etc/ssl/certs...
WARNING: rancherAddedCA.pem does not contain a certificate or CRL: skipping
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
INFO: Running Agent Registration Process, CATTLE_URL=https://rancher.example.org/v1
INFO: Attempting to connect to: https://rancher.example.org/v1
INFO: https://rancher.example.org/v1 is accessible
Traceback (most recent call last):
  File "./resolve_url.py", line 9, in <module>
    r = requests.get(url)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: unknown error (_ssl.c:2831)
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
ERROR: returned
ERROR: --- START ---
ERROR: --- END ---
ERROR: Failed to load registration env from CATTLE_URL=https://rancher.example.org/v1 ENV_URL=
ERROR: Please ensure the proper value for the Host Registration URL is set
[root@docker01 ~]#

*Describe your issue here* My Rancher Server running at port 51263, then use ng … inx agent to port 443 (proxy_pass), http2 enabled, chrome can browse it, no problem . Then I copy letsencrypt cert1.pem to /var/lib/rancher/etc/ssl/ca.crt, and run rancher/agent, it showed: INFO: Running Agent Registration Process, CATTLE_URL=https://xxx.com/v1 INFO: Attempting to connect to: https://xxx.com/v1 INFO: https://xxx.com/v1 is accessible Traceback (most recent call last): File "./resolve_url.py", line 9, in <module> r = requests.get(url) File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 70, in get return request('get', url, params=params, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 497, in send raise SSLError(e, request=request) requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) curl: no URL specified! curl: try 'curl --help' or 'curl --manual' for more information ERROR: returned ERROR: --- START --- ERROR: --- END --- ERROR: Failed to load registration env from CATTLE_URL=https://xxx.com/v1 ENV_URL= ERROR: Please ensure the proper value for the Host Registration URL is set I don't konw what's wrong? | Useful | Info | | :-- | :-- | |Versions|Rancher `v1.2.2` Cattle: `v0.174.13` UI: `v1.2.40` | |Access|`localauth` `admin`| |Orchestration|`Cattle`| |Route|`hosts.index`|

Hi All, I use Let’s Encrypt to generate and manage our SSL certificates. We installed our Rancher in HA mode, and now it works fine. But it was impossible for us to add a host ! Terrible ! As describe in this post we met some certificat validation error. The logs of the rancher/agent:v1.0.2 instance here: Updating certificates in /etc/ssl/certs… 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d…done. INFO: Running Agent Registration Process, CATTLE_URL=https://<>.… OS: Ubuntu 14.04 Steps to Re … produce: Setup nginx proxy for SSL as per Rancher documentation. Use COMODO signed wildcard certificate. Results: Agent fails to connect. If CA bundle path is passed into the container with -e CURL_CA_BUNDLE="/etc/ssl/mycert.ca-bundle", then it connects, but resolve_url.py blows up. `docker run -d -e CURL_CA_BUNDLE="/etc/ssl/myserver.ca-bundle" -v /etc/ssl:/etc/ssl:ro`... rancher/agent:v0.10.0` INFO: Running Agent Registration Process, CATTLE_URL=https://myserver.ca/v1 INFO: Checking for Docker version >= 1.6.0 INFO: Found Server version: 1.10.3 INFO: docker version: Client version: 1.6.0 INFO: docker version: Client API version: 1.18 INFO: docker version: Go version (client): go1.4.2 INFO: docker version: Git commit (client): 4749651 INFO: docker version: OS/Arch (client): linux/amd64 INFO: docker version: Server version: 1.10.3 INFO: docker version: Server API version: 1.22 INFO: docker version: Go version (server): go1.5.3 INFO: docker version: Git commit (server): 20f81dd INFO: docker version: OS/Arch (server): linux/amd64 INFO: docker info: Containers: 1 INFO: docker info: Images: 1 INFO: docker info: Storage Driver: aufs INFO: docker info: Root Dir: /data/docker/aufs INFO: docker info: Backing Filesystem: extfs INFO: docker info: Dirs: 15 INFO: docker info: Dirperm1 Supported: true INFO: docker info: Execution Driver: native-0.2 INFO: docker info: Kernel Version: 3.19.0-56-generic INFO: docker info: Operating System: Ubuntu 14.04.4 LTS INFO: docker info: CPUs: 8 INFO: docker info: Total Memory: 11.73 GiB INFO: docker info: Name: nigel INFO: docker info: ID: B7MO:TEDR:B5V3:BHWQ:MO4X:TONG:ER7G:WA3R:NV5Q:EXLY:4PEC:UOBI INFO: docker info: Http Proxy: INFO: docker info: Https Proxy: INFO: docker info: No Proxy: WARNING: No swap limit support INFO: Attempting to connect to: https://myserver.ca/v1 INFO: https://myserver.ca/v1 is accessible Traceback (most recent call last): File "./resolve_url.py", line 9, in <module> r = requests.get(url) File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 67, in get return request('get', url, params=params, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 53, in request return session.request(method=method, url=url, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 468, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 576, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 447, in send raise SSLError(e, request=request) requests.exceptions.SSLError: bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],) curl: no URL specified! curl: try 'curl --help' or 'curl --manual' for more information ERROR: returned ERROR: --- START --- ERROR: --- END --- ERROR: Failed to load registration env from CATTLE_URL=https://myserver.ca/v1 ENV_URL= ERROR: Please ensure the proper value for the Host Registration URL is set Perhaps a way to fix this would be to have resolve_url.py look for the same environment variable that the command line curl client does, CURL_CA_BUNDLE. Then use it to specify the optional "verify" argument in the `requests.get` call in resolve_url.py. i.e. ca_path = os.environ['CURL_CA_BUNDLE'] r = requests.get(url, verify=ca_path) Expected: Successful SSL connection to the Rancher server.

I setup a rancher server behind an AWS ELB with SSL. I followed the instructions on the basic-ssl-config page. Accessing rancher via the web browser works fine and looking in the console I even see a socket open, so I am fairly confident the config on the ELB is correct. The issue is when trying to add an agent I keep getting the following error: ERROR: https://rancher.myhost.com/v1 is not accessible Running a curl request gives me the following error: SSL certificate problem: unable to get l…

Lots of potential solutions, I did not have enough time to try them all, I am still blocked.