Can't access cluster from kubectl after Rancher certificate update


I am using Rancher 2.8. I replaced the default certificate with a new one following the “Updating from a Private CA Certificate to a Public CA Certificate” procedure from Updating the Rancher Certificate | Rancher

I used the full certificate chain, but after updating the certificate I cannot access the underlying cluster even when I replace the KubeConfig file. The message I get is:
“Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority”

I ran superseb/ranchercheck script and it reports:
Certificate chain is complete, connection to established successfully.

Please help or point me in a new direction, I’m going around in circles.
Thank you.

1 Like

Just asking, have you imported the RootCA to your machines?

Hello @wioxjk thank you for answering.

I haven’t imported RootCA to any machines. Would this be the local cluster macine (i.e. Rancher manager) or the remote cluster nodes? Why is only RootCA needed in that case?

I only did force update from Continuous Delivery as indicated by the procedure. Could you send me the procedure to import the certificates to the nodes that need to be updated?

Depending on the machine you are running kubectl from, you might want to look into different way of importing your RootCA into that one.

Anyway, you probably need to import the root-cert into rancher aswell:

I tried adding the certificate to the client machine, this did not change the error.
I’m having trouble with this one: About Custom CA Root Certificates | Rancher
My Rancher manager was not installed with docker, I’m assuming there should be an equivalent of this action for helm chart, but I was not able to find it. Could you help with this?

Thank you :slight_smile:

Did you check this?

Hello, I have: remote cluster becomes unavailable if I do this. I tried a bunch of other posts related to this, but I still did not resolve the problem.