Cannot add secret after fixing expired cattle-webhook-tl: x509: certificate signed by unknown authority

zorlack · October 4, 2022, 8:39pm

Hello,

I’m running Rancher 2.6.0, and I recently found that my cattle-webhook-tls certificate had expired.

Following other sources online I did the following:

Delete the cattle-webhook-tls certificate
Delete the rancher.cattle.io admission controller
Delete the rancher-webhook pod

This process seems to have worked, in that it caused a new certificate for cattle-webhook-tls to be generated. (The admission controller has also been recreated.)

However, I think I may have messed something up in my process because now when I go to add a new secret I get the following message:

Internal error occurred: failed calling webhook "rancher.cattle.io": Post "https://rancher-webhook.cattle-system.svc:443/v1/webhook/mutation?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "dynamiclistener-ca")

Does anyone know how correct this behavior?

Many thanks!

-Z

zorlack · October 11, 2022, 8:48pm

Just bumping this, in case anyone has any idea how I should proceed.

I’m guessing that I need to generate a new valid value for the TLS Secret cattle-system/tls-rancher

I’ve tried removing it, but when I do the rancher-webhook deployment won’t start. So I gather it can’t boot without it.

Topic		Replies	Views
Unknown certificate about to expire Rancher	1	1223	November 28, 2022
Certificate cattle-webhook-tls expired Rancher	1	984	October 12, 2021
Unable to edit permissions of a user Rancher	3	395	January 10, 2023
No rancher-webhook pod present (Rancher 2.5.5) Rancher	4	1975	August 22, 2022
Rancher-webhook fails due to not existing rancher-webhook-tls secret Rancher	7	15002	May 2, 2022

Cannot add secret after fixing expired cattle-webhook-tl: x509: certificate signed by unknown authority

Related topics