Rancher Custom Catalog from Gitlab

Not too long ago we had an issue while setting up a custom catalog for one of our clients. Long story short, it turned out that the wildcard ssl certificate in use was not properly accepted by the rancher server. Besides looking for a proper certificate we needed a solution for the time being. Unfortunately the frontend error associated with this issue did not help too much

The template request answer was:

{"actions":{},"links":{"self":"http://.../v1-catalog/templates"},"message":"[Catalog refresh failed for CUSTOM-Catalog (https://...@git.yourcompany.net/RANCHER/rancher-catalogs.git): Update failed: exit status 128]","status":"500","type":"error"} 

The host could talk to the Gitlab, Logs did not reveal much more but then we eventually ended up checking the git connection from inside the rancher-server container. And tada:

unable to access 'https://...@git.yourcompany.net/RANCHER/rancher-catalogs.git': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none  

Until we managed to get the Root-Cert working as expected here is the workaround:

connect to the rancher server
docker exec -it rancher-server bash

disable ssl verification for all repos
git config --global http.sslVerify false

refresh the catalog, it should work now
enable slls verification again
git config --global http.sslVerify true

switch to the rancher catalog repo and disable ssl verification soly for this repo

cd /var/lib/cattle/cache/global/<id of the new repo>  
git config http.sslVerify false  

From now on, subsequent request should work too. Without sacrificing all other ssl checks.

Veröffentlicht in Blog