Error when adding nodes to cluster. x509: certificate signed by unknown authority"

Hi All,

I installed Rancher 2.6 and trying to add nodes to the cluster and getting x509 error.

Steps

  1. The rancher is setup and dashboard is working fine.
  2. The Rancher setup is using hostname from Netscaler, in the format, rancher.company.domain. SSL certificate is applied at Netscaler endpoint.
  3. I tried to create a cluster and it also worked fine.
  4. I tried to add node to the cluster. I am getting “x509: certificate signed by unknown authority”" error.

How do I resolve this issue.
Is there something to be done at node or at server? Logs below

time="2022-03-10T06:05:41Z" level=info msg="Issuer: CN=Mycompany Root Certificate Authority"
time="2022-03-10T06:05:41Z" level=info msg="IsCA: true"
time="2022-03-10T06:05:41Z" level=info msg="DNS Names: <none>"
time="2022-03-10T06:05:41Z" level=info msg="IPAddresses: <none>"
time="2022-03-10T06:05:41Z" level=info msg="NotBefore: 2016-06-10 02:49:31 +0000 UTC"
time="2022-03-10T06:05:41Z" level=info msg="NotAfter: 2026-06-10 01:19:08 +0000 UTC"
time="2022-03-10T06:05:41Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2022-03-10T06:05:41Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2022-03-10T06:05:41Z" level=info msg="Certificate details for /etc/kubernetes/ssl/certs/serverca"
time="2022-03-10T06:05:41Z" level=info msg="Certificate #0 (/etc/kubernetes/ssl/certs/serverca)"
time="2022-03-10T06:05:41Z" level=info msg="Subject: CN=dynamiclistener-ca,O=dynamiclistener-org"
time="2022-03-10T06:05:41Z" level=info msg="Issuer: CN=dynamiclistener-ca,O=dynamiclistener-org"
time="2022-03-10T06:05:41Z" level=info msg="IsCA: true"
time="2022-03-10T06:05:41Z" level=info msg="DNS Names: <none>"
time="2022-03-10T06:05:41Z" level=info msg="IPAddresses: <none>"
time="2022-03-10T06:05:41Z" level=info msg="NotBefore: 2022-03-09 07:13:47 +0000 UTC"
time="2022-03-10T06:05:41Z" level=info msg="NotAfter: 2032-03-06 07:13:47 +0000 UTC"
time="2022-03-10T06:05:41Z" level=info msg="SignatureAlgorithm: ECDSA-SHA256"
time="2022-03-10T06:05:41Z" level=info msg="PublicKeyAlgorithm: ECDSA"
time="2022-03-10T06:05:41Z" level=error msg="Issuer of last certificate found in chain (CN=Mycompany Root Certificate Authority) does not match with CA certificate Issuer (CN=dynamiclistener-ca,O=dynamiclistener-org). Please check if the configured server certificate contains all needed intermediate certificates and make sure they are in the correct order (server certificate first, intermediates after)"
time="2022-03-10T06:05:41Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"https://rancherpoc.adev.dev\": x509: certificate signed by unknown authority"

I checked /v3/settings/cacerts. there is a /n at the begin and end certificate section. Is that causing the issue.