Setting up Rancher with SSL

Here is a process of setting up Rancher with SSL from “Let’s Encrypt” via Nginx.

Software versions:

• https://www.docker.com 1.12.6
• http://rancher.com 1.5.5
• http://nginx.org 1.11
• https://letsencrypt.org certbot 0.13.0

What we will get:

• Let’s Encrypt SSL certificate (for rancher.example.com in this guide)
• Nginx listening ports 80 and 443 and redirecting all HTTP requests (to port 80) to HTTPS (port 443)
• Rancher server running on port 8080 (which you can forbid access to from anywhere but localhost after finishing the installation).

The guide.

1. Prepare a server — install docker and the rest is up to you. My minimum is:

apt-get update && apt-get -y dist-upgrade && apt-get -y install vim wget docker.io

2. Setup DNS records for your domain, ex.:

A rancher.example.com 1.2.3.4

2. Setup Let’s Encrypt app:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto

you’ll get an error “Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin” which is absolutely fine — we don’t have any webserver for Let’s encrypt and we will use it’s built-in temporary one.

3. Obtain SSL certificates for the domain rancher.example.com:

./certbot-auto certonly

when asked for the way to authenticate with ACME CA, select “2: spin up a temporary webserver (standalone)”, following questions are up to you.

4. Create config for Nginx to redirect HTTP to HTTPS and to use our fresh SSL certificates:

vim /etc/nginx.conf

upstream rancher {
  server rancher-server:8080;
}
map $http_upgrade $connection_upgrade {
  default Upgrade;
  ''      close;
}
server {
  listen 443 ssl http2;
  server_name <SERVER_NAME>;
  ssl_certificate /etc/letsencrypt/live/<DOMAIN>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<DOMAIN>/privkey.pem;
  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://rancher;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection “Upgrade”;
    # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
    proxy_read_timeout 900s;
  }
}
server {
  listen 80;
  server_name <SERVER_NAME>;
  return 301 https://$server_name$request_uri;
}

<DOMAIN> is the domain your SSL certificate was created for, in our case — rancher.example.com <SERVER_NAME> can be any arbitrary name, but the same name should be used for both the http and https servers, for example: “server_name rancher.example.com”

5. Start Rancher server:

docker run -d --name=rancher-server --restart=unless-stopped -p 8080:8080 rancher/server

Open logs with “docker logs -f rancher-server”, after a minute or so you should see something like this:

time=”2017–04–20T13:08:08Z” level=info msg=”Updating machine jsons for [packet packet amazonec2 azure digitalocean]”
time=”2017–04–20T13:08:09Z” level=info msg=”Creating schema machine, roles [service]” id=1ds29
time=”2017–04–20T13:08:09Z” level=info msg=”Creating schema host, roles [service]” id=1ds30
time=”2017–04–20T13:08:09Z” level=info msg=”Creating schema machine, roles [project member owner]” id=1ds31
time=”2017–04–20T13:08:10Z” level=info msg=”Creating schema host, roles [project member owner]” id=1ds32
time=”2017–04–20T13:08:10Z” level=info msg=”Creating schema machine, roles [admin user readAdmin]” id=1ds33
time=”2017–04–20T13:08:10Z” level=info msg=”Creating schema host, roles [admin user readAdmin]” id=1ds34
time=”2017–04–20T13:08:10Z” level=info msg=”Creating schema machine, roles [readonly]” id=1ds35
time=”2017–04–20T13:08:10Z” level=info msg=”Creating schema host, roles [readonly]” id=1ds36

Now “ctr-c” and go to the next step.

6. Run Nginx linked with rancher-server container:

docker run -d --name=nginx --restart=unless-stopped -p 80:80 -p 443:443 -v /etc/letsencrypt:/etc/letsencrypt -v /etc/nginx.conf:/etc/nginx/conf.d/default.conf --link=rancher-server nginx:1.11

7. Setup Rancher access: ADMIN -> Access Control

Enjoy your Rancher server running at https://rancher.example.com