https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# harvester
a
This message was deleted.
t
Did you add the CA to harvester?
under settings --> Additional CA
f
Should I just upload same cacert as in ssl-certificates?
t
yes. and any root or intermediate cloudflare gave you
f
I only got private and public certificates from cloudflare. Is it the public certificate or?
Certificates are a difficult topic for me.
t
add both the Certificate Authority(CA) which is either a root or intermediate. add both if you have them,
f
t
YES
RSA version
f
Even if my Origin Server certificates are using ECC?
t
try that one is shouldn’t make a difference.
f
Didnt work out. I am thinking if it has to do with Caddy certificates which are using cloudflare extension: github.com/caddy-dns/cloudflare My configuration in Caddy looks like this:
Copy code
https://*.<http://example.com|example.com> {
    tls {
        dns cloudflare CLOUDFLARE_TOKEN
        resolvers 1.1.1.1
    }
    
    import *.caddy
}

@harvester host <http://harvester.example.com|harvester.example.com>
handle @harvester {
    reverse_proxy <https://10.10.10.10> {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

@rancher host <http://rancher.example.com|rancher.example.com>
handle @rancher {
    reverse_proxy <https://rancher> {
        transport http {
            tls_insecure_skip_verify
        }
    }
}
My Rancher is deployed using docker compose:
Copy code
services:
  rancher:
    image: rancher/rancher:latest
    container_name: rancher-server
    restart: unless-stopped
    privileged: true
    # ports:
    #   - "8443:443"
    networks:
      - reverseproxy-nw
    volumes:
      - rancher-data:/var/lib/rancher
      - ./certs/cert.pem:/etc/rancher/ssl/cert.pem
      - ./certs/key.pem:/etc/rancher/ssl/key.pem
      - ./certs/cacerts.pem:/etc/rancher/ssl/cacerts.pem

volumes:
  rancher-data:
cacerts.pem is the root certificate which I've linked to earlier. Harvester has ssl-certificates with same certificates like rancher also 
cacerts
in Harvester is the same root certificate. Harvester has additional-ca where it is the same root certificate as 
cacerts
Hope this gives an idea of how the setup is. These certificates are 
Origin Server
certificates from Cloudflare.
And has the hosts: 
<http://example.com|example.com> *.<http://example.com|example.com>
Going to https://rancher.example.com/v3/settings/cacerts gives me the same value as cacerts.
This has troubled me for days. Considering to use insecure option to connect Harvester to Rancher 😄
t
That may not have the root included.
Why do you have caddy when rancher wants to terminate tls?
f
I am using caddy so that I can use fqdn.
t
OH, you are running it in Docker. That is not a good idea long term. Is Caddy running on the same docker node as Rancher?
It is not that hard to run Rancher on rke2 (kubernetes) directly :

https://youtu.be/ONes6pv_9J4

OR Just use a Harvester AddOn for Rancher VCluster :

https://youtu.be/pHttkWS0pPo

f
Yea, I might migrate to another solution, but didnt find a better way yet. I am running those two on a small vps (4c 4gb). Theyre not running on same docker node, but on same network. I am not familiar with vCluster, is that a paid service?
t
Nope it is free watch the video. lol
f
I am on the phone atm. But will watch it once I am back on PC. Will there be any videoes about more advanced setup of Harvester like logging, storage and network setup with eventually vlans? Would be nice.
I've managed to get Rancher working with vCluster, which is nice! But after trying to create a cluster with Harvester. I got the same issue.... After investigation, it seems like Origin Server certificates are not trusted by clients and meant to be used between client and cloudflare instead. Do you think that this is the issue?
The one Caddy is creating is with Lets Encrypt which is valid. But, rancher is not pointing to that certificate, and I am not sure how I can reuse same certificate without manually changing everytime it changes.
t
The cert thing makes sense. Have you looked at let’s encrypt?
f
Yea, the Caddy configuration I've posted above, is using lets encrypt by default. But the thing is that I can't retrieve the certificates. Even if I could, I would have to manually insert those to both Harvester and Rancher every time it changes (within 90 days). Is there a way to automatically set the certificates in both Harvester and Rancher by Lets Encrypt?
t
actually Rancher is the only one that needs valid certs. I bought a legit wildcard cert and have been using that for a while now. *.rfed.io
f
Do you use that one on rancher too?
After a loooooong battle, I managed to get it working. So currently I am running Rancher on the Docker image as before, as it has latest version of Rancher compared to the vCluster, but will take a look at running it in kubernetes instead at sometime. I got the certificates directly from caddy and put it into both Harvester and Rancher. Did also add cacerts (root certificate) into Rancher from letsencrypt. What I am afraid of now, is when the certificates will be renewed, then I will have to update those environments also, which will be pain in the ... If anyone knows a better way to handle this kind of stuff, please let me know!
t
there is no better way. this is enterprise IT. 😄
f
I hate my hobby.
jk 😄
t
lol. that is why I have as little home lab as possible and I try and automate everything,
80 Views
Open in Slack
PreviousNext
Powered by