How to deploy an HA rancher without a DNS name?

Hi,

I don’t have a DNS name, so I tried to deploy an HA rancher using IP address, but it didn’t work out.
Here is what I did:

  1. Modify template/service.yaml packaged in rancher-2.5.5.tgz, change the service type to NodePort.

    spec:
    type: NodePort <---------------------
    ports:
  • port: 80
    nodePort: 30080 <-----------------------
    targetPort: 80
    protocol: TCP
    name: http
  • port: 443
    nodePort: 30443 <------------------------
    targetPort: 444
    protocol: TCP
    name: https-internal
    selector:
    app: {{ template “rancher.fullname” . }}

2.Provision a 3-node cluster using RKE(the IP addresses are: IP1/IP2/IP3).

3.Install rancher on the cluster with the following command:
kubectl create namespace cert-manager
kubectl apply -f cert-manager.crds.yaml
helm install cert-manager ./cert-manager-v1.0.4.tgz
–namespace cert-manager
–set image.repository={my-private-registry}/quay.io/jetstack/cert-manager-controller
–set webhook.image.repository={my-private-registry}/quay.io/jetstack/cert-manager-webhook
–set cainjector.image.repository={my-private-registry}/quay.io/jetstack/cert-manager-cainjector

kubectl create namespace cattle-system
helm install rancher ./rancher-2.5.5.tgz
–namespace cattle-system
–set hostname=something.com
–set certmanager.version=1.0.4
–set rancherImage={my-private-registry}/rancher/rancher
–set systemDefaultRegistry={my-private-registry}
–set useBundledSystemChart=true

Then I point my browser to https://IP1:30443. The login page shows up. It seems to work, but…When I try to provision a cluster through the UI, the progress gets stuck. The logs of rancher-agent says:

[ywb@uc1-master ~]$ sudo docker logs d8b6

INFO: IP1:30443/ping is accessible
INFO: Value from IP1:30443/v3/settings/cacerts is an x509 certificate
time=“2021-03-15T10:59:07Z” level=info msg=“Listening on /tmp/log.sock”
time=“2021-03-15T10:59:07Z” level=info msg=“Rancher agent version v2.5.5 is starting”
time=“2021-03-15T10:59:07Z” level=info msg=“Option customConfig=…”
time=“2021-03-15T10:59:07Z” level=info msg=“Option etcd=true”
time=“2021-03-15T10:59:07Z” level=info msg=“Option controlPlane=true”
time=“2021-03-15T10:59:07Z” level=info msg=“Option worker=false”
time=“2021-03-15T10:59:07Z” level=info msg=“Option requestedHostname=uc1-master”
time=“2021-03-15T10:59:08Z” level=info msg=“Certificate details from IP1:30443”
time=“2021-03-15T10:59:08Z” level=info msg=“Certificate #0 (IP1:30443)”
time=“2021-03-15T10:59:08Z” level=info msg=“Subject: CN=dynamic,O=dynamic”
time=“2021-03-15T10:59:08Z” level=info msg=“Issuer: CN=dynamiclistener-ca,O=dynamiclistener-org”
time=“2021-03-15T10:59:08Z” level=info msg=“IsCA: false”
time=“2021-03-15T10:59:08Z” level=info msg="DNS Names: "
time=“2021-03-15T10:59:08Z” level=info msg=“IPAddresses: [IP1 …]”
time=“2021-03-15T10:59:08Z” level=info msg=“NotBefore: 2021-03-15 10:17:37 +0000 UTC”
time=“2021-03-15T10:59:08Z” level=info msg=“NotAfter: 2022-03-15 10:45:21 +0000 UTC”
time=“2021-03-15T10:59:08Z” level=info msg=“SignatureAlgorithm: ECDSA-SHA256”
time=“2021-03-15T10:59:08Z” level=info msg=“PublicKeyAlgorithm: ECDSA”
time=“2021-03-15T10:59:08Z” level=info msg=“Certificate details for /etc/kubernetes/ssl/certs/serverca”
time=“2021-03-15T10:59:08Z” level=info msg=“Certificate #0 (/etc/kubernetes/ssl/certs/serverca)”
time=“2021-03-15T10:59:08Z” level=info msg=“Subject: CN=dynamiclistener-ca,O=dynamiclistener-org”
time=“2021-03-15T10:59:08Z” level=info msg=“Issuer: CN=dynamiclistener-ca,O=dynamiclistener-org”
time=“2021-03-15T10:59:08Z” level=info msg=“IsCA: true”
time=“2021-03-15T10:59:08Z” level=info msg="DNS Names: "
time=“2021-03-15T10:59:08Z” level=info msg="IPAddresses: "
time=“2021-03-15T10:59:08Z” level=info msg=“NotBefore: 2021-03-15 10:17:36 +0000 UTC”
time=“2021-03-15T10:59:08Z” level=info msg=“NotAfter: 2031-03-13 10:17:36 +0000 UTC”
time=“2021-03-15T10:59:08Z” level=info msg=“SignatureAlgorithm: ECDSA-SHA256”
time=“2021-03-15T10:59:08Z” level=info msg=“PublicKeyAlgorithm: ECDSA”
time=“2021-03-15T10:59:08Z” level=fatal msg=“Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get “IP1:30443”: x509: certificate signed by unknown authority (possibly because of “x509: ECDSA verification failure” while trying to verify candidate authority certificate “dynamiclistener-ca”)”

What could I do with that? Thanks!