How to setup selfsigned CA certificates for rancher agent?

mengzyou · December 6, 2022, 10:06am

Hi,

I install the rancher server in a cluster via helm charts (chart version: rancher-2.7.0 app version: v2.7.0 namespace: cattle-system) with below customized values:

hostname: rancher.home.mengz.lan
ingress:
  extraAnnotations:
    cert-manager.io/cluster-issuer: root-ca-cluster-issuer
    cert-manager.io/common-name: rancher.home.mengz.lan
  includeDefaultExtraAnnotations: false
  ingressClassName: traefik
  tls:
    source: secret
replicas: 1

The root-ca-cluster-issuer is a ClusterIssuer with CA of selfsigned.

When I import the the existed cluster, the agent can not start with below error:

INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local mengz.lan nameserver 10.96.0.10 options ndots:5
INFO: https://rancher.home.mengz.lan/ping is accessible
INFO: rancher.home.mengz.lan resolves to 192.168.31.201
time="2022-12-06T09:49:48Z" level=info msg="Rancher agent version v2.7.0 is starting"
time="2022-12-06T09:49:48Z" level=info msg="Listening on /tmp/log.sock"
time="2022-12-06T09:49:48Z" level=info msg="Certificate details from https://rancher.home.mengz.lan"
time="2022-12-06T09:49:48Z" level=info msg="Certificate #0 (https://rancher.home.mengz.lan)"
time="2022-12-06T09:49:48Z" level=info msg="Subject: CN=rancher.home.mengz.lan"
time="2022-12-06T09:49:48Z" level=info msg="Issuer: CN=Mengz SelfSigned Root CA,OU=DEVOPS,O=MengzDev,C=CN,1.2.840.113549.1.9.1=#0c156d656e677a2e796f75406f75746c6f6f6b2e636f6d"
time="2022-12-06T09:49:48Z" level=info msg="IsCA: false"
time="2022-12-06T09:49:48Z" level=info msg="DNS Names: [rancher.home.mengz.lan]"
time="2022-12-06T09:49:48Z" level=info msg="IPAddresses: <none>"
time="2022-12-06T09:49:48Z" level=info msg="NotBefore: 2022-12-06 09:23:18 +0000 UTC"
time="2022-12-06T09:49:48Z" level=info msg="NotAfter: 2023-03-06 09:23:18 +0000 UTC"
time="2022-12-06T09:49:48Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2022-12-06T09:49:48Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2022-12-06T09:49:48Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"https://rancher.home.mengz.lan\": x509: certificate signed by unknown authority"

So, how to set the certifcates for agent authentication?

Topic		Replies	Views
Solved - Certificate error in logs Rancher 2.x	3	2183	July 4, 2019
Self-signed root certificate (ca.crt) for rancher-agent and server? Rancher 1.x	12	7982	November 3, 2015
Rancher 2.2.7 Fresh Install - cacerts issues (self signed cert) Rancher 2.x	3	1774	February 29, 2020
Cattle-cluster-agent crashloopbackoff - Help me! Rancher 2.x	7	2654	June 27, 2022
Rancher Generated Certificates issues with Harvester integration	0	210	November 7, 2023

How to setup selfsigned CA certificates for rancher agent?

Related Topics