How to use self signed certificates helm catalog?

Hi, I installed rancher (installed via helm chart) on a RKE2 single node cluster (installed via quick start script).

Nexus3 is used to serve the private docker registries. That part works so far.

Since no direct internet access is available on this host, I want to host the helm catalogs in nexus as well.
Nexus has TLS enabled, the certificate is signed with a selfsigned CA.

When changing the catalog url to my nexus repo I get “x509: certificate signed by unknown authority”.

How can I add my own CA as trusted by rancher? The underlying centos7 already trusts the CA, but not the rancher pod.

Thanks in advance, Andreas


If the helm catalog you want to add in rancher uses a self-singed or a certificate that is signed by unknown CA, you have to add this certificate to the trusted CA store used by Rancher.
First make sure you run rancher with the option additionalTrustedCAs=true
Copy your CA certs in pem format into a file named ca-additional.pem and use kubectl to create the tls-ca-additional secret in the cattle-system namespace.
kubectl -n cattle-system create secret generic tls-ca-additional --from-file=ca-additional.pem=./ca-additional.pem

1 Like