Certificate format for "Bring your own Certificate: Self-Signed"

I have installed a Rancher 2.0 install in HA mode and am using the Kubernetes Secret option for the CA files. I am using an HAProxy TCP load balancer in front of the cluster.

After installing the Rancher Helm chart, I added secrets for the server, and CA as indicated in TLS secrets. The files were all in PEM format.

The UI came up fine, and I logged in. I went to generate the kubectl config file, and saved the file as ~/.kube/config. When I run kubectl, I got the error:

➜  .kube: kubectl get pods
Unable to connect to the server: x509: certificate signed by unknown authority

In trying to troubleshoot, I found this page on Configure Certificates, and if you click the + next to Option A, it says:

**Prerequisites:** Create a self-signed certificate.

* The certificate files must be in PEM format.
* The certificate files must be encoded in base64.
* In your certificate file, include all intermediate certificates in the chain. Order your certificates with your certificate first, followed by the intermediates. For an example, see Intermediate Certificates.

First of all, there seems to be a typo, since you cannot have a certificate encoded in PEM and base64.
Secondly, that would be helpful if that were on the same page as when it tells you to create the Kubernetes secrets.

I checked the ~/.kube/config file, and the certificate-authority-data field looked incorrectly formatted. I ran a base64 against my CA certificate file, and it was different than what was in the config, so I changed the config and put in the new base64 value, and now kubectl works.

So now, I am trying to figure out how to fix the kubectl config file that Rancher provides to users, so that other people can get the correct file. I tried editing the tls-ca secret, and change the value to the base64 encoded version of the certificate, but the text I get when clicking on the “Kubeconfig File” in the UI still shows the incorrect value. I tried deleting the Rancher container, and let Kubernetes re-create it and it still shows the wrong value.

So my questions are:

  1. How do I get Rancher to give the correct kube config file?
  2. What is the format of the Rancher certificates, and CA certificates that I should include in the certificates?
1 Like