I replied to a similar question on the Rancher Forums with no luck: https://forums.rancher.com/t/rancher-2-x-ha-install-and-ssl-termination/12515/3
When following the Rancher Docs for a HA install, a sample nginx configuration is provided for the load balancer: https://rancher.com/docs/rancher/v2.x/en/installation/ha/create-nodes-lb/
When using cert-manager to issue the certs, cert-manager can't get to the well-known http-01 check to validate domain ownership. I get the same errors as Yannick from the Rancher forum post, and navigating to the well-known address myself results in a 301 to https (with an invalid cert), so the response doesn't load.
I next tried adding a separate nginx conf location block to trap the /.well-known address and proxy_pass to the ingress on the rancher servers on port 80, but this triggers numerous 301s, until Chrome stops it.
Looking at the ingress object, it seems that it may be listening on 443 as well, but there are no events, so perhaps it is not getting to the ingress:
Name: cm-acme-http-solver-tr74p
Namespace: cattle-system
Address: x.x.x.x,x.x.x.y
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
rancher.mydomain.com
/.well-known/acme-challenge/Bf-oPbO34tgehadfI0k7Qsf_fza4rHUKC534easfO5TM cm-acme-http-solver-xnw4t:8089 (<none>)
Annotations:
field.cattle.io/publicEndpoints: [{"addresses":["x.x.x.x","x.x.x.y"],"port":80,"protocol":"HTTP","serviceName":"cattle-system:cm-acme-http-solver-xnw4t","ingressName":"cattle-system:cm-acme-http-solver-tr74p","hostname":"rancher.mydomain.com","path":"/.well-known/acme-challenge/Bf-oPbO6hy7DdfI0k7Qsf_fza4rHUKC575duPOfO5TM","allNodes":false}]
Events: <none>
Name: rancher
Namespace: cattle-system
Address: x.x.x.x,x.x.x.xy
Default backend: default-http-backend:80 (<none>)
TLS:
tls-rancher-ingress terminates rancher.mydomain.com
Rules:
Host Path Backends
---- ---- --------
rancher.mydomain.com
rancher:80 (<none>)
Annotations:
certmanager.k8s.io/issuer: rancher
field.cattle.io/publicEndpoints: [{"addresses":["x.x.x.x","x.x.xy"],"port":443,"protocol":"HTTPS","serviceName":"cattle-system:rancher","ingressName":"cattle-system:rancher","hostname":"rancher.mydomain.com","allNodes":false}]
nginx.ingress.kubernetes.io/proxy-connect-timeout: 30
nginx.ingress.kubernetes.io/proxy-read-timeout: 1800
nginx.ingress.kubernetes.io/proxy-send-timeout: 1800
Events: <none>
Digging further into the ingress, I see the following:
I0123 02:02:32.615026 7 controller.go:179] Backend successfully reloaded.
I0123 02:07:26.990283 7 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"cattle-system", Name:"rancher", UID:"a18cc766-1eb3-11e9-a3a4-9c8e9916e498", APIVersion:"extensions", ResourceVersion:"1347", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress cattle-system/rancher
W0123 02:07:26.990427 7 backend_ssl.go:49] error obtaining PEM from secret cattle-system/tls-rancher-ingress: error retrieving secret cattle-system/tls-rancher-ingress: secret cattle-system/tls-rancher-ingress was not found
W0123 02:07:30.307510 7 controller.go:769] Service "cattle-system/rancher" does not have any active Endpoint.
W0123 02:07:30.307607 7 controller.go:1015] SSL certificate "cattle-system/tls-rancher-ingress" does not exist in local store.
I0123 02:07:30.307675 7 controller.go:169] Configuration changes detected, backend reload required.
It seems it can't load the tls secret. Rancher provides info on how to do this: https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/tls-secrets/ but this seems counterintuitive to using LE and cert-manager versus bringing your own certs.
Anyone have luck with this with Rancher or see anything I am missing?
