So we are working on setting up a big Rancher/Kubernetes cluster on a bunch of RHEL 8 servers. We have everything installed and have Rancher running on a 3 node cluster behind a load balancer. The issue we are running into is enrolling the other nodes for the worker processes into rancher.
Every time we try and enroll them, we are getting an error when we run the enrollment command:
OpenSSL/1.1.1l-fips: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
I know this error is saying the DHkey is too small, and I was able to confirm that a 1024 bit DH key is being presented by Rancher to these nodes. I am trying to figure out what needs to happen to get communication up between these boxes. I don't really want to set the seclevel to 1 in OpenSSL, which we even tried doing and it didn't work.
Our ideal solution would be to just try either disabling DH on the rancher side to force it to an EC protocol, or we have also generated a 2048 bit DHparam file, but we cannot figure out where it needs to go on the system or how to disable DH on the rancher side of things.
We also tried update-sec-policies --set LEGACY on the client boxes, but got the same error as well.
Thoughts?
