Certificate issue : Unable to join node to cluster

Hello there! I am new to Rancher and Kubernetes so please bear with me if my questions are seems silly.

I setup a single node cluster in our environment with the following versions of k3s and rancher:

K3s - v1.21.2+k3s1
Rancher - v2.5.8

I installed Rancher via helm and I was able to access the UI. I created cluster inside Rancher UI to join Master and Worker nodes. When I copied the command to one of Master node, the container kept on restarting. Upon checking docker logs, below is the error I found:

This is the error from downstream MasterNode:

msg=“Issuer of last certificate found in chain {CN=TRAEFIK DEFAULT CERT} does not match with CA Certificate Issuer {CN=dynamiclistener-ca,O=dynamiclistener=org}” …

When I checked the SSL cert used by Rancher URL, it is Traefik but rancher UI console itself has another certificate which is the dynamiclistener. This dynamiclistenerr CN is the one that is included or used you when you copy the docker command from cluster.

Is there anyone experience this? And how to solve this? I have been scratching my head for 2 weeks but I still could not find any solution.

I also tried to disabled traefik upon installation but that made my Rancher UI not accessible.

1 Like

Certificate issues are very common with k3s. k3s is very buggy, in general.
It’s also impossible to manage a k3s node entirely through the Rancher GUI. A lot of k3s stuff is not supported and simply does not work in the Rancher GUI.

Sometimes, the Rancher UI also changes certificates without notice. You might want to start there.

If that still does not work, try to set up a system from scratch and go through each step slowly, checking each step, to immediately notice when the whole thing starts to malfunction.

Thanks for the advise Akito!

However, I already solved this. I was installing manifests for cert-manager that caused this problem. When I skipped to install it (I uninstalled Rancher), I was able to join the master and worker nodes to the cluster I created in Rancher UI.

Verified that Rancher UI is really using Traefik as its default SSL cert and Rancher UI console is using dynamiclistener. I checked these settings after I successfully join all the nodes in cluster and deployed images.

1 Like