Helm, service account and x509 certificate issues

I am running into a problem when trying to use a freshly initialized helm on a k8s cluster that was created using Rancher. Rancher is run as a single node on docker inside of our network and is not publicly accessible. As a reference point, here is how rancher is started:

docker run -d --volumes-from rancher-data --restart=unless-stopped -p 80:80 -p 443:443 -v /etc/ssl/certs/our_certificate_chained.pem:/etc/rancher/ssl/cert.pem -v /etc/ssl/private/our_certificate_private_key.key:/etc/rancher/ssl/key.pem rancher/rancher:latest --no-cacerts

The certificate is a wildcard certificate we use all over the company from a GoDaddy. I have no idea if this is relevant as I’m not sure if this is the certificate in question for the error we are getting. Helm, the service account and tiller have been initialized per the information here:


Here is where I run into a problem. If I try to do a helm install, I get an error such as the below:

Error: Get https://rancher.ourdomain.com/k8s/clusters/c-ps8sw/api/v1/namespaces/kube-system/pods?labelSelector=app%3Dhelm%2Cname%3Dtiller: x509: certificate signed by unknown authority

This is the command I’m running to get this:

helm install --name prometheus stable/prometheus --tiller-namespace kube-system --kubeconfig config --namespace mytestnamespace --set rbac.create=false

The referenced kubeconfig file is one setup using information from the tiller service account that I created. I am unsure what I may be missing in order to get helm to work using this service account that I created. If anyone has any ideas, or needs more information from me to aid me in a resolution, that would be helpful.


As a follow-up test, I spun up a brand new rancher server, but didn’t use my own certificates to launch it, so the start command looked like this:

sudo docker run -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher:latest

I then went ahead and spun up a 2 node cluster just for testing, but I’m still having major problems when trying to use helm with a service account to deploy something. I used the same helm setup information from the first post. I created a kubeconfig file for the service account and when I try to install something as a test with helm such as the below example:

helm install --name prometheus stable/prometheus --tiller-namespace kube-system --kubeconfig ~/config --namespace default

Basically I get the exact same error as indicated above.