How to setup selfsigned CA certificates for rancher agent?

Hi,

I install the rancher server in a cluster via helm charts (chart version: rancher-2.7.0 app version: v2.7.0 namespace: cattle-system) with below customized values:

hostname: rancher.home.mengz.lan
ingress:
  extraAnnotations:
    cert-manager.io/cluster-issuer: root-ca-cluster-issuer
    cert-manager.io/common-name: rancher.home.mengz.lan
  includeDefaultExtraAnnotations: false
  ingressClassName: traefik
  tls:
    source: secret
replicas: 1

The root-ca-cluster-issuer is a ClusterIssuer with CA of selfsigned.

When I import the the existed cluster, the agent can not start with below error:

INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local mengz.lan nameserver 10.96.0.10 options ndots:5
INFO: https://rancher.home.mengz.lan/ping is accessible
INFO: rancher.home.mengz.lan resolves to 192.168.31.201
time="2022-12-06T09:49:48Z" level=info msg="Rancher agent version v2.7.0 is starting"
time="2022-12-06T09:49:48Z" level=info msg="Listening on /tmp/log.sock"
time="2022-12-06T09:49:48Z" level=info msg="Certificate details from https://rancher.home.mengz.lan"
time="2022-12-06T09:49:48Z" level=info msg="Certificate #0 (https://rancher.home.mengz.lan)"
time="2022-12-06T09:49:48Z" level=info msg="Subject: CN=rancher.home.mengz.lan"
time="2022-12-06T09:49:48Z" level=info msg="Issuer: CN=Mengz SelfSigned Root CA,OU=DEVOPS,O=MengzDev,C=CN,1.2.840.113549.1.9.1=#0c156d656e677a2e796f75406f75746c6f6f6b2e636f6d"
time="2022-12-06T09:49:48Z" level=info msg="IsCA: false"
time="2022-12-06T09:49:48Z" level=info msg="DNS Names: [rancher.home.mengz.lan]"
time="2022-12-06T09:49:48Z" level=info msg="IPAddresses: <none>"
time="2022-12-06T09:49:48Z" level=info msg="NotBefore: 2022-12-06 09:23:18 +0000 UTC"
time="2022-12-06T09:49:48Z" level=info msg="NotAfter: 2023-03-06 09:23:18 +0000 UTC"
time="2022-12-06T09:49:48Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2022-12-06T09:49:48Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2022-12-06T09:49:48Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"https://rancher.home.mengz.lan\": x509: certificate signed by unknown authority"

So, how to set the certifcates for agent authentication?

1 Like