Cannot add secret after fixing expired cattle-webhook-tl: x509: certificate signed by unknown authority


I’m running Rancher 2.6.0, and I recently found that my cattle-webhook-tls certificate had expired.

Following other sources online I did the following:

  • Delete the cattle-webhook-tls certificate
  • Delete the admission controller
  • Delete the rancher-webhook pod

This process seems to have worked, in that it caused a new certificate for cattle-webhook-tls to be generated. (The admission controller has also been recreated.)

However, I think I may have messed something up in my process because now when I go to add a new secret I get the following message:

Internal error occurred: failed calling webhook "": Post "https://rancher-webhook.cattle-system.svc:443/v1/webhook/mutation?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "dynamiclistener-ca")

Does anyone know how correct this behavior?

Many thanks!


Just bumping this, in case anyone has any idea how I should proceed.

I’m guessing that I need to generate a new valid value for the TLS Secret cattle-system/tls-rancher

I’ve tried removing it, but when I do the rancher-webhook deployment won’t start. So I gather it can’t boot without it.