HTMLGuyLLC
commented
3 years ago 
Closed HTMLGuyLLC closed 2 years ago
HTMLGuyLLC
commented
3 years ago
HTMLGuyLLC
commented
3 years ago Terraform destroy and rebuild didn't fix it. Getting same error. Can't bypass the security error and set to trust the cert in my browser or in keychain access.
HTMLGuyLLC
commented
3 years ago SUPER HACKY, but I was able to get it working (sorta) by editing aws/infra.tf and changing rancher_server_dns to my own subdomain and setting up a CNAME that (quickly during deployment) matches the AWS name for my rancher server. Now I've got a self-issued cert?? "Kubernetes Ingress Controller Fake Certificate". At least I'm able to bypass this security warning in chrome and actually get to Rancher, but what a mess.
HTMLGuyLLC
commented
3 years ago Ok, that was premature. I can access the rancher ec2 instance and UI, but it never finishes creating the test pool and times out on module.rancher.common.rancher2_boostrap.admin: Still creating.... What's strange is it says it can't access /ping, but I was able to go to it just fine...perhaps it's because of the self-signed cert.
VladimirTambovtsev
commented
3 years ago Any updates? How to fix it in terraform?
Negashev
commented
3 years ago Add to https://github.com/rancher/quickstart/blob/master/rancher-common/helm.tf#L29 helm_release.rancher_server
set {
name = "ingress.tls.source"
value = "letsEncrypt"
}
set {
name = "letsEncrypt.email"
value = "my@email.com"
}
jerowe
commented
3 years ago Any solutions to this? I am having the same problem. I can use the rancher_server_url in safari after bypassing the certificate warning, but not in chrome at all.
What would be even better would be if I could use an nginx ingress to assign my own domain name hosted on AWS.
bashofmann
commented
3 years ago As stated in the readme, these modules are just meant for quick evaluations. Thus not everything is set up highly available according to best practices. For example this module uses the wildcard dns service xip.io to get a publicly resolvable hostname for Rancher. You can't get valid Let'sEncrypt certificates for xip.io domains. That's why this module uses a self-signed certificate that was issued by cert-managers own CA. Of course browsers do not know and rightfully do not trust this CA. You usually can skip the TLS warning. Sometimes this is not possible in Chrome, but you can still bypass it by typing "thisisunsafe", see https://miguelpiedrafita.com/chrome-thisisunsafe.
For a production setup, you would of course set up Rancher highly available, put a LB in front of it, point your own DNS entry to this LB and you would use a trusted certificate.
jerowe
commented
3 years ago Well I feel silly. The instructions for using an nginx ingress on AWS were right here - https://rancher.com/docs/rancher/v2.x/en/installation/install-rancher-on-k8s/amazon-eks/
bashofmann
commented
2 years ago I'm closing this issue. The TLS warning is expected because this module uses self-signed certificates.