Closed HTMLGuyLLC closed 2 years ago
Terraform destroy and rebuild didn't fix it. Getting same error. Can't bypass the security error and set to trust the cert in my browser or in keychain access.
SUPER HACKY, but I was able to get it working (sorta) by editing aws/infra.tf and changing rancher_server_dns to my own subdomain and setting up a CNAME that (quickly during deployment) matches the AWS name for my rancher server. Now I've got a self-issued cert?? "Kubernetes Ingress Controller Fake Certificate". At least I'm able to bypass this security warning in chrome and actually get to Rancher, but what a mess.
Ok, that was premature. I can access the rancher ec2 instance and UI, but it never finishes creating the test pool and times out on module.rancher.common.rancher2_boostrap.admin: Still creating...
. What's strange is it says it can't access /ping, but I was able to go to it just fine...perhaps it's because of the self-signed cert.
Any updates? How to fix it in terraform?
Add to https://github.com/rancher/quickstart/blob/master/rancher-common/helm.tf#L29 helm_release.rancher_server
set {
name = "ingress.tls.source"
value = "letsEncrypt"
}
set {
name = "letsEncrypt.email"
value = "my@email.com"
}
Any solutions to this? I am having the same problem. I can use the rancher_server_url in safari after bypassing the certificate warning, but not in chrome at all.
What would be even better would be if I could use an nginx ingress to assign my own domain name hosted on AWS.
As stated in the readme, these modules are just meant for quick evaluations. Thus not everything is set up highly available according to best practices. For example this module uses the wildcard dns service xip.io to get a publicly resolvable hostname for Rancher. You can't get valid Let'sEncrypt certificates for xip.io domains. That's why this module uses a self-signed certificate that was issued by cert-managers own CA. Of course browsers do not know and rightfully do not trust this CA. You usually can skip the TLS warning. Sometimes this is not possible in Chrome, but you can still bypass it by typing "thisisunsafe", see https://miguelpiedrafita.com/chrome-thisisunsafe.
For a production setup, you would of course set up Rancher highly available, put a LB in front of it, point your own DNS entry to this LB and you would use a trusted certificate.
Well I feel silly. The instructions for using an nginx ingress on AWS were right here - https://rancher.com/docs/rancher/v2.x/en/installation/install-rancher-on-k8s/amazon-eks/
I'm closing this issue. The TLS warning is expected because this module uses self-signed certificates.