Certificate issue on import k3s node to rancher manager


I’m running a sigle RKE cluster with rancher server installed on.
I want to import an additional k3s node with “Add Cluster” “other cluster”:

k3osn5 [~]$ kubectl apply -f https://rancher.arahome.ml/v3/import/fjswxth69mzs8drzdcqnvk9pknwf2l8kvtsgt7qk82f4zwgrq2krn2_c-wrgjn.yaml
Unable to connect to the server: x509: certificate signed by unknown authority

What is the cuase of this cert issue?


It is unable to validate the certificate served by rancher.arahome.ml, which in case of RKE is the NGINX ingress controller which can be installed in 3 different ways. Depending on what way you chose we can dig into it more but if you are using a certificate signed by a trusted/known CA, it most likely is that your server certificate does not contain a needed intermediate certificate to validate the chain. In case of self signed, you will need to run the insecure version of the import command or add the needed CA and intermediates into the system you are running kubectl apply -f on.

Hi Superseb

I just use my arahome.ml domain internally without a CA.
So, I just use self-sigend certs. Is such case also possible to setup wtih k3s nodes?

How do I run the “insecure version” of the import command?


It should be right under the default command:

Run the kubectl command below on an existing Kubernetes cluster running a supported Kubernetes version to import it into Rancher:

kubectl apply -f https://localhost/v3/import/785frdq9p7bflzc5jghklxdjxvkfdpbq62vl6cvjph5jvq2bvbwdsb_c-br6mh.yaml

If you get an error about ‘certificate signed by unknown authority’ because your Rancher installation is running with an untrusted/self-signed SSL certificate, run the command below instead to bypass the certificate check:

curl --insecure -sfL https://localhost/v3/import/785frdq9p7bflzc5jghklxdjxvkfdpbq62vl6cvjph5jvq2bvbwdsb_c-br6mh.yaml | kubectl apply -f -