hi there,
here is the info. looks the same with the new certs.
root@node1:~# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
cattle-system cattle-78b54f84c5-cq2qd 1/1 Running 1 3d
cattle-system cattle-cluster-agent-8774bfcf-trm4t 0/1 CrashLoopBackOff 13 3d
cattle-system cattle-node-agent-5926j 0/1 CrashLoopBackOff 11 3d
cattle-system cattle-node-agent-9xmwh 1/1 Running 11 3d
cattle-system cattle-node-agent-bzn85 0/1 CrashLoopBackOff 10 3d
ingress-nginx default-http-backend-797c5bc547-fprcx 1/1 Running 1 3d
ingress-nginx nginx-ingress-controller-6gg54 1/1 Running 1 3d
ingress-nginx nginx-ingress-controller-jpxrp 1/1 Running 1 3d
ingress-nginx nginx-ingress-controller-kzsjr 1/1 Running 1 3d
kube-system canal-fw8vc 3/3 Running 3 3d
kube-system canal-w7p6k 3/3 Running 3 3d
kube-system canal-xflj4 3/3 Running 3 3d
kube-system kube-dns-7588d5b5f5-mgsdt 3/3 Running 3 3d
kube-system kube-dns-autoscaler-5db9bbb766-svg96 1/1 Running 1 3d
kube-system metrics-server-97bc649d5-f8zs5 1/1 Running 1 3d
kube-system rke-ingress-controller-deploy-job-62psx 0/1 Completed 0 3d
kube-system rke-kubedns-addon-deploy-job-jd9dd 0/1 Completed 0 3d
kube-system rke-metrics-addon-deploy-job-dgztm 0/1 Completed 0 3d
kube-system rke-network-plugin-deploy-job-tpj2h 0/1 Completed 0 3d
kube-system rke-user-addon-deploy-job-sjxrx 0/1 Completed 0 3d
root@node1:~# kubectl logs -n cattle-system cattle-78b54f84c5-cq2qd
2018/10/11 13:37:41 [INFO] Rancher version v2.0.8 is starting
2018/10/11 13:37:41 [INFO] Rancher arguments {ACMEDomains:[] AddLocal:auto Embedded:false KubeConfig: HTTPListenPort:80 HTTPSListenPort:443 K8sMode:auto Debug:false NoCACerts:false ListenConfig:<nil> AuditLogPath:/var/log/auditlog/rancher-api-audit.log AuditLogMaxage:10 AuditLogMaxsize:100 AuditLogMaxbackup:10 AuditLevel:0}
2018/10/11 13:37:41 [INFO] Listening on /tmp/log.sock
2018/10/11 13:37:41 [INFO] Activating driver rke
2018/10/11 13:37:41 [INFO] Activating driver rke done
2018/10/11 13:37:41 [INFO] Activating driver gke
2018/10/11 13:37:41 [INFO] Activating driver gke done
2018/10/11 13:37:41 [INFO] Activating driver aks
2018/10/11 13:37:41 [INFO] Activating driver aks done
2018/10/11 13:37:41 [INFO] Activating driver eks
2018/10/11 13:37:41 [INFO] Activating driver eks done
2018/10/11 13:37:41 [INFO] Activating driver import
2018/10/11 13:37:41 [INFO] Activating driver import done
I1011 13:37:41.598351 6 http.go:108] HTTP2 has been explicitly disabled
2018/10/11 13:37:41 [INFO] Starting API controllers
2018/10/11 13:37:42 [INFO] Listening on :443
2018/10/11 13:37:42 [INFO] Listening on :80
I1011 13:37:42.532897 6 leaderelection.go:175] attempting to acquire leader lease kube-system/cattle-controllers...
I1011 13:37:42.568680 6 leaderelection.go:184] successfully acquired lease kube-system/cattle-controllers
2018/10/11 13:37:42 [INFO] Starting catalog controller
2018/10/11 13:37:42 [INFO] Starting management controllers
2018/10/11 13:37:43 [INFO] Reconciling GlobalRoles
2018/10/11 13:37:43 [INFO] Starting cluster agent forlocal
2018/10/11 13:37:43 [INFO] Reconciling RoleTemplates
2018/10/11 13:37:43 [INFO] Registering project network policy
2018/10/11 13:37:43 [INFO] Registering namespaceHandler for adding labels
2018/10/11 13:37:43 [INFO] registering podsecuritypolicy cluster handler for cluster local
2018/10/11 13:37:43 [INFO] registering podsecuritypolicy project handler for cluster local
2018/10/11 13:37:43 [INFO] registering podsecuritypolicy namespace handler for cluster local
2018/10/11 13:37:43 [INFO] registering podsecuritypolicy serviceaccount handler for cluster local
2018/10/11 13:37:43 [INFO] registering podsecuritypolicy template handler for cluster local
2018/10/11 13:37:43 [INFO] Starting cluster controllers for local
2018/10/11 13:37:44 [INFO] Updating workload [ingress-nginx/nginx-ingress-controller] with public endpoints [[{"nodeName":"local:machine-nmdz9","addresses":["192.168.33.12"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-jpxrp","allNodes":false},{"nodeName":"local:machine-nmdz9","addresses":["192.168.33.12"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-jpxrp","allNodes":false},{"nodeName":"local:machine-xmtm8","addresses":["192.168.33.10"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-kzsjr","allNodes":false},{"nodeName":"local:machine-xmtm8","addresses":["192.168.33.10"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-kzsjr","allNodes":false},{"nodeName":"local:machine-scrtm","addresses":["192.168.33.11"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-6gg54","allNodes":false},{"nodeName":"local:machine-scrtm","addresses":["192.168.33.11"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-6gg54","allNodes":false}]]
2018/10/11 13:37:44 [INFO] Updating pod [ingress-nginx/nginx-ingress-controller-6gg54] with public endpoints [[{"nodeName":"local:machine-scrtm","addresses":["192.168.33.11"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-6gg54","allNodes":false},{"nodeName":"local:machine-scrtm","addresses":["192.168.33.11"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-6gg54","allNodes":false}]]
2018/10/11 13:37:44 [INFO] Updating pod [ingress-nginx/nginx-ingress-controller-jpxrp] with public endpoints [[{"nodeName":"local:machine-nmdz9","addresses":["192.168.33.12"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-jpxrp","allNodes":false},{"nodeName":"local:machine-nmdz9","addresses":["192.168.33.12"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-jpxrp","allNodes":false}]]
2018/10/11 13:37:44 [INFO] Updating pod [ingress-nginx/nginx-ingress-controller-kzsjr] with public endpoints [[{"nodeName":"local:machine-xmtm8","addresses":["192.168.33.10"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-kzsjr","allNodes":false},{"nodeName":"local:machine-xmtm8","addresses":["192.168.33.10"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-kzsjr","allNodes":false}]]
2018/10/11 13:37:44 [INFO] Updating workload [ingress-nginx/nginx-ingress-controller] with public endpoints [[{"nodeName":"local:machine-scrtm","addresses":["192.168.33.11"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-6gg54","allNodes":false},{"nodeName":"local:machine-scrtm","addresses":["192.168.33.11"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-6gg54","allNodes":false},{"nodeName":"local:machine-nmdz9","addresses":["192.168.33.12"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-jpxrp","allNodes":false},{"nodeName":"local:machine-nmdz9","addresses":["192.168.33.12"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-jpxrp","allNodes":false},{"nodeName":"local:machine-xmtm8","addresses":["192.168.33.10"],"port":80,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-kzsjr","allNodes":false},{"nodeName":"local:machine-xmtm8","addresses":["192.168.33.10"],"port":443,"protocol":"TCP","podName":"ingress-nginx:nginx-ingress-controller-kzsjr","allNodes":false}]]
2018/10/11 13:37:44 [INFO] Rancher startup complete
2018/10/11 13:37:44 [INFO] Purged 1 expired tokens
time="2018-10-11 13:37:47" level=info msg="Telemetry Client v0.5.1"
time="2018-10-11 13:37:47" level=info msg="Listening on 0.0.0.0:8114"
2018/10/11 13:38:11 [INFO] Updating catalog library
2018/10/11 13:38:20 [INFO] Handling backend connection request [machine-scrtm]
2018/10/11 13:38:23 [INFO] Catalog sync done. 0 templates created, 26 templates updated, 0 templates deleted
2018/10/11 13:42:48 [INFO] 2018/10/11 13:42:48 http: TLS handshake error from 10.0.2.15:3962: tls: failed to sign ECDHE parameters: rsa: internal error
2018/10/11 13:43:17 [INFO] 2018/10/11 13:43:17 http: TLS handshake error from 10.0.2.15:4052: tls: failed to sign ECDHE parameters: rsa: internal error
root@node1:~# kubectl logs -n cattle-system cattle-cluster-agent-8774bfcf-trm4t
INFO: Environment: CATTLE_ADDRESS=10.42.1.2 CATTLE_CA_CHECKSUM=a2dab7a20ebe3fdcaf296e213d03aa133ddba317faa4deaedfdfd2daf3397456 CATTLE_CLUSTER=true CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-8774bfcf-trm4t CATTLE_SERVER=https://rancher.rancher.lab CATTLE_SERVICE_PORT=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_443_TCP=tcp://10.43.53.18:443 CATTLE_SERVICE_PORT_443_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_443_TCP_PORT=443 CATTLE_SERVICE_PORT_443_TCP_PROTO=tcp CATTLE_SERVICE_PORT_80_TCP=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_80_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_80_TCP_PORT=80 CATTLE_SERVICE_PORT_80_TCP_PROTO=tcp CATTLE_SERVICE_SERVICE_HOST=10.43.53.18 CATTLE_SERVICE_SERVICE_PORT=80 CATTLE_SERVICE_SERVICE_PORT_HTTP=80 CATTLE_SERVICE_SERVICE_PORT_HTTPS=443
INFO: Using resolv.conf: nameserver 10.43.0.10 search cattle-system.svc.cluster.local svc.cluster.local cluster.local example.com options ndots:5
ERROR: https://rancher.rancher.lab/ping is not accessible (Could not resolve host: rancher.rancher.lab)
root@node1:~# kubectl logs -n cattle-system cattle-node-agent-5926j
INFO: Environment: CATTLE_ADDRESS=10.0.2.15 CATTLE_AGENT_CONNECT=true CATTLE_CA_CHECKSUM=a2dab7a20ebe3fdcaf296e213d03aa133ddba317faa4deaedfdfd2daf3397456 CATTLE_CLUSTER=false CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=192.168.33.12 CATTLE_SERVER=https://rancher.rancher.lab CATTLE_SERVICE_PORT=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_443_TCP=tcp://10.43.53.18:443 CATTLE_SERVICE_PORT_443_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_443_TCP_PORT=443 CATTLE_SERVICE_PORT_443_TCP_PROTO=tcp CATTLE_SERVICE_PORT_80_TCP=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_80_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_80_TCP_PORT=80 CATTLE_SERVICE_PORT_80_TCP_PROTO=tcp CATTLE_SERVICE_SERVICE_HOST=10.43.53.18 CATTLE_SERVICE_SERVICE_PORT=80 CATTLE_SERVICE_SERVICE_PORT_HTTP=80 CATTLE_SERVICE_SERVICE_PORT_HTTPS=443
INFO: Using resolv.conf: nameserver 192.168.33.13 nameserver 10.0.2.3 search example.com
ERROR: https://rancher.rancher.lab/ping is not accessible (The requested URL returned error: 504)
root@node1:~# kubectl logs -n cattle-system cattle-node-agent-9xmwh
INFO: Environment: CATTLE_ADDRESS=10.0.2.15 CATTLE_AGENT_CONNECT=true CATTLE_CA_CHECKSUM=a2dab7a20ebe3fdcaf296e213d03aa133ddba317faa4deaedfdfd2daf3397456 CATTLE_CLUSTER=false CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=192.168.33.11 CATTLE_SERVER=https://rancher.rancher.lab CATTLE_SERVICE_PORT=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_443_TCP=tcp://10.43.53.18:443 CATTLE_SERVICE_PORT_443_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_443_TCP_PORT=443 CATTLE_SERVICE_PORT_443_TCP_PROTO=tcp CATTLE_SERVICE_PORT_80_TCP=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_80_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_80_TCP_PORT=80 CATTLE_SERVICE_PORT_80_TCP_PROTO=tcp CATTLE_SERVICE_SERVICE_HOST=10.43.53.18 CATTLE_SERVICE_SERVICE_PORT=80 CATTLE_SERVICE_SERVICE_PORT_HTTP=80 CATTLE_SERVICE_SERVICE_PORT_HTTPS=443
INFO: Using resolv.conf: nameserver 192.168.33.13 nameserver 10.0.2.3 search example.com
INFO: https://rancher.rancher.lab/ping is accessible
INFO: Value from https://rancher.rancher.lab/v3/settings/cacerts is an x509 certificate
time="2018-10-11T13:38:19Z" level=info msg="Rancher agent version v2.0.8 is starting"
time="2018-10-11T13:38:19Z" level=info msg="Option customConfig=map[address:10.0.2.15 internalAddress: roles:[] label:map[]]"
time="2018-10-11T13:38:19Z" level=info msg="Listening on /tmp/log.sock"
time="2018-10-11T13:38:19Z" level=info msg="Option etcd=false"
time="2018-10-11T13:38:19Z" level=info msg="Option controlPlane=false"
time="2018-10-11T13:38:19Z" level=info msg="Option worker=false"
time="2018-10-11T13:38:19Z" level=info msg="Option requestedHostname=192.168.33.11"
time="2018-10-11T13:38:19Z" level=info msg="Connecting to wss://rancher.rancher.lab/v3/connect with token 46nqvk58p6lbqfmd57chfhsfr2g2rt95wkfcw7vtxq85lk4bld4ljn"
time="2018-10-11T13:38:19Z" level=info msg="Connecting to proxy" url="wss://rancher.rancher.lab/v3/connect"
time="2018-10-11T13:38:49Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:39:24Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:39:59Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:40:34Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:41:09Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:41:44Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:42:19Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:42:54Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:43:29Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:44:04Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:44:39Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
time="2018-10-11T13:45:14Z" level=info msg="Error while getting agent config: invalid response 504: <html>\r\n<head><title>504 Gateway Time-out</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>504 Gateway Time-out</h1></center>\r\n<hr><center>nginx/1.13.12</center>\r\n</body>\r\n</html>\r\n"
root@node1:~# kubectl logs -n cattle-system cattle-node-agent-bzn85
INFO: Environment: CATTLE_ADDRESS=10.0.2.15 CATTLE_AGENT_CONNECT=true CATTLE_CA_CHECKSUM=a2dab7a20ebe3fdcaf296e213d03aa133ddba317faa4deaedfdfd2daf3397456 CATTLE_CLUSTER=false CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=192.168.33.10 CATTLE_SERVER=https://rancher.rancher.lab CATTLE_SERVICE_PORT=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_443_TCP=tcp://10.43.53.18:443 CATTLE_SERVICE_PORT_443_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_443_TCP_PORT=443 CATTLE_SERVICE_PORT_443_TCP_PROTO=tcp CATTLE_SERVICE_PORT_80_TCP=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_80_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_80_TCP_PORT=80 CATTLE_SERVICE_PORT_80_TCP_PROTO=tcp CATTLE_SERVICE_SERVICE_HOST=10.43.53.18 CATTLE_SERVICE_SERVICE_PORT=80 CATTLE_SERVICE_SERVICE_PORT_HTTP=80 CATTLE_SERVICE_SERVICE_PORT_HTTPS=443
INFO: Using resolv.conf: nameserver 192.168.33.13 nameserver 10.0.2.3 search example.com
ERROR: https://rancher.rancher.lab/ping is not accessible (The requested URL returned error: 504)
root@node1:~# kubectl logs -n cattle-system cattle-node-agent-bzn85
INFO: Environment: CATTLE_ADDRESS=10.0.2.15 CATTLE_AGENT_CONNECT=true CATTLE_CA_CHECKSUM=a2dab7a20ebe3fdcaf296e213d03aa133ddba317faa4deaedfdfd2daf3397456 CATTLE_CLUSTER=false CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=192.1
68.33.10 CATTLE_SERVER=https://rancher.rancher.lab CATTLE_SERVICE_PORT=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_443_TCP=tcp://10.43.53.18:443 CATTLE_SERVICE_PORT_443_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_443_TCP_PORT=443 CATTLE_SERVICE_PORT_44
3_TCP_PROTO=tcp CATTLE_SERVICE_PORT_80_TCP=tcp://10.43.53.18:80 CATTLE_SERVICE_PORT_80_TCP_ADDR=10.43.53.18 CATTLE_SERVICE_PORT_80_TCP_PORT=80 CATTLE_SERVICE_PORT_80_TCP_PROTO=tcp CATTLE_SERVICE_SERVICE_HOST=10.43.53.18 CATTLE_SERVICE_SERVICE_POR
T=80 CATTLE_SERVICE_SERVICE_PORT_HTTP=80 CATTLE_SERVICE_SERVICE_PORT_HTTPS=443
INFO: Using resolv.conf: nameserver 192.168.33.13 nameserver 10.0.2.3 search example.com
ERROR: https://rancher.rancher.lab/ping is not accessible (The requested URL returned error: 504)
root@node1:~# openssl s_client -connect rancher.rancher.lab:443 -servername rancher.rancher.lab
CONNECTED(00000003)
depth=1 C = CH, ST = Zug, O = Rancher Lab, CN = Rancher Lab Intermediate CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=XXXX/ST=XXXX/L=xxxx/O=Rancher Lab/CN=rancher.rancher.lab
i:/C=XXXX/ST=XXXX/O=Rancher Lab/CN=Rancher Lab Intermediate CA
1 s:/C=XXXX/ST=XXXX/O=Rancher Lab/CN=Rancher Lab Intermediate CA
i:/C=XXXX/ST=XXXX/L=xxxx/O=Rancher Lab/CN=Rancher Lab Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCAz6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCQ0gx
DDAKBgNVBAgMA1p1ZzEUMBIGA1UECgwLUmFuY2hlciBMYWIxJDAiBgNVBAMMG1Jh
bmNoZXIgTGFiIEludGVybWVkaWF0ZSBDQTAeFw0xODEwMDgwNzM0MjZaFw0xOTEw
MTgwNzM0MjZaMF0xCzAJBgNVBAYTAkNIMQwwCgYDVQQIDANadWcxDDAKBgNVBAcM
A1p1ZzEUMBIGA1UECgwLUmFuY2hlciBMYWIxHDAaBgNVBAMME3JhbmNoZXIucmFu
Y2hlci5sYWIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/d2PwWsbi
7ZEZ/SBE1cO1jqOPKbHhZ/5tua1bdlgHUTVJtvb3w6/JLDy/7djIkcgn7sPPu/Yo
AHJEr4rfOUqJJIuBwT0UbjRREQxxm4P42ujri2HCmTlTmR2FA0/1P2KTjMkGXbgl
SjdPoFyw24K9zzimcRdHwggfqj07rUVcGw6LVH6Y82wif3yjz3kml6zvVEm6OD/6
MIxdyq17hhpSRvKHpQY+mfXN8Jcn9/+iEiFxgzpkSmkCsRrU3lobIv4xUFsYUTXO
CpAHK4k/mMmF8BiM1rfOzk1WX0+8I765G2tQzsGPoL1VcHESF7fqP2tuZjxBYiof
8sUiwE54Bb8zAgMBAAGjggEkMIIBIDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQE
AwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQWKyLCFO0NVgIlSE78ZGN3zj296DCBhgYDVR0j
BH8wfYAU433FxMzFBGbFRW/EKKeokwelnZChYaRfMF0xCzAJBgNVBAYTAkNIMQww
CgYDVQQIDANadWcxDDAKBgNVBAcMA1p1ZzEUMBIGA1UECgwLUmFuY2hlciBMYWIx
HDAaBgNVBAMME1JhbmNoZXIgTGFiIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAjBbA8l86
MXg66xtf768ZI2d2WAkgVF4Hh+3LjsNlKtyl5UnyWc+gBrW5lWstv2nXOCJIh1Xu
7l9vFZaYT0TuYBxx9QO/LAdWGq7dd9GtRBloFc+2b/d9nmll08podgZrRMXbYhv6
aGP/6KTXrIrd/apyC11CLgHAhY/qKR6m9FbNmLaupZeLKk3bqT9mSq2VmYP2gf5q
LAqoMKhi7htpIHGS4ZEBGVE0EFBLatMqBCryeso+sUs0OI4m3OosX/lPx46pmS3J
iyFuw30T7b5qDyU7Moexample.com
-----END CERTIFICATE-----
subject=/C=XXXX/ST=XXXX/L=xxxx/O=Rancher Lab/CN=rancher.rancher.lab
issuer=/C=XXXX/ST=XXXX/O=Rancher Lab/CN=Rancher Lab Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3497 bytes and written 459 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: CC00B9F39172FFC7739A9322ADD4E22CDDA3D22C421A06D6BD6CC03DFFBBE78D
Session-ID-ctx:
Master-Key: D5F868D8D270A08D029BCA1CA37812427A2D212F2EB3C9A5C2BE044CFDA7052AF34FDA3F9DFEEE3BB9F85C3BA7F42E38
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 90 6f 48 03 55 5a c8 14-a9 99 1b d5 ee 74 fd 93 .oH.UZ.......t..
0010 - 6c 34 78 ed 80 49 4e 8d-a1 6d 71 c4 2c 0f dd b4 l4x..IN..mq.,...
0020 - 7d 97 5f 16 dc bc 4c 63-29 a9 fa a7 66 b1 e2 ec }._...Lc)...f...
0030 - a6 e2 bf 7c b6 7f 15 84-13 7b b0 41 38 aa 2f 3a ...|.....{.A8./:
0040 - 03 41 60 53 8c 30 97 e6-82 f5 28 ef 88 66 b9 7c .A`S.0....(..f.|
0050 - fb e1 2d d4 05 de 13 26-f2 7c 9c c3 2b 9e 35 a1 ..-....&.|..+.5.
0060 - 34 20 86 97 48 57 f9 3a-5d 6e 89 94 eb ff 12 7f 4 ..HW.:]n......
0070 - c9 df 49 9a a6 c8 74 cd-14 83 ca d3 c3 4d b4 0a ..I...t......M..
0080 - 55 fb e1 f0 09 40 83 9c-4d 22 95 85 d9 6f 0b ab U....@..M"...o..
0090 - cb f3 0a 1c 36 c3 61 9e-c2 e7 23 98 e7 20 f0 cb ....6.a...#.. ..
00a0 - 6d 48 6e b7 81 3a b6 3d-17 e5 29 d7 be 24 a0 53 mHn..:.=..)..$.S
00b0 - cd c6 da 48 dd f5 3c 55-b0 ce f5 c0 f4 f9 ac 85 ...H..<U........
Start Time: 1539265595
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
^C
root@node1:~# ./rancher-check.sh rancher.rancher.lab
OK: DNS for rancher.rancher.lab is 192.168.33.14
OK: Response from rancher.rancher.lab/ping is pong
INFO: CA checksum from rancher.rancher.lab/v3/settings/cacerts is e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
ERR: Certificate chain is not complete
INFO: Found CN rancher.rancher.lab
ERR: No Subject Alternative Name(s) (SANs) found
ERR: Certificate will not be valid in applications that dropped support for commonName (CN) matching (Chrome/Firefox amongst others)
ERR: rancher.rancher.lab was not found in SANs
Trying to get intermediates to complete chain and writing to /certs/fullchain.pem
Note: this usually only works when using certificates signed by a recognized Certificate Authority
open /certs/fullchain.pem: no such file or directory
Showing openssl s_client output
CONNECTED(00000003)
depth=1 C = CH, ST = Zug, O = Rancher Lab, CN = Rancher Lab Intermediate CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=xxxxx/ST=xxxxx/L=xxxx/O=Rancher Lab/CN=rancher.rancher.lab
i:/C=xxxxx/ST=xxxxx/O=Rancher Lab/CN=Rancher Lab Intermediate CA
1 s:/C=xxxxx/ST=xxxxx/O=Rancher Lab/CN=Rancher Lab Intermediate CA
i:/C=xxxxx/ST=xxxxx/L=xxxx/O=Rancher Lab/CN=Rancher Lab Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVjCCAz6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCQ0gx
DDAKBgNVBAgMA1p1ZzEUMBIGA1UECgwLUmFuY2hlciBMYWIxJDAiBgNVBAMMG1Jh
bmNoZXIgTGFiIEludGVybWVkaWF0ZSBDQTAeFw0xODEwMDgwNzM0MjZaFw0xOTEw
MTgwNzM0MjZaMF0xCzAJBgNVBAYTAkNIMQwwCgYDVQQIDANadWcxDDAKBgNVBAcM
A1p1ZzEUMBIGA1UECgwLUmFuY2hlciBMYWIxHDAaBgNVBAMME3JhbmNoZXIucmFu
Y2hlci5sYWIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/d2PwWsbi
7ZEZ/SBE1cO1jqOPKbHhZ/5tua1bdlgHUTVJtvb3w6/JLDy/7djIkcgn7sPPu/Yo
AHJEr4rfOUqJJIuBwT0UbjRREQxxm4P42ujri2HCmTlTmR2FA0/1P2KTjMkGXbgl
SjdPoFyw24K9zzimcRdHwggfqj07rUVcGw6LVH6Y82wif3yjz3kml6zvVEm6OD/6
MIxdyq17hhpSRvKHpQY+mfXN8Jcn9/+iEiFxgzpkSmkCsRrU3lobIv4xUFsYUTXO
CpAHK4k/mMmF8BiM1rfOzk1WX0+8I765G2tQzsGPoL1VcHESF7fqP2tuZjxBYiof
8sUiwE54Bb8zAgMBAAGjggEkMIIBIDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQE
AwIGQDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQWKyLCFO0NVgIlSE78ZGN3zj296DCBhgYDVR0j
BH8wfYAU433FxMzFBGbFRW/EKKeokwelnZChYaRfMF0xCzAJBgNVBAYTAkNIMQww
CgYDVQQIDANadWcxDDAKBgNVBAcMA1p1ZzEUMBIGA1UECgwLUmFuY2hlciBMYWIx
HDAaBgNVBAMME1JhbmNoZXIgTGFiIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQEAwIF
oDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAjBbA8l86
MXg66xtf768ZI2d2WAkgVF4Hh+3LjsNlKtyl5UnyWc+gBrW5lWstv2nXOCJIh1Xu
7l9vFZaYT0TuYBxx9QO/LAdWGq7dd9GtRBloFc+2b/d9nmll08podgZrRMXbYhv6
aGP/6KTXrIrd/apyC11CLgHAhY/qKR6m9FbNmLaupZeLKk3bqT9mSq2VmYP2gf5q
LAqoMKhi7htpIHGS4ZEBGVE0EFBLatMqBCryeso+sUs0OI4m3OosX/lPx46pmS3J
iyFuw30T7b5qDyU7Moexample.com
-----END CERTIFICATE-----
subject=/C=xxxxx/ST=xxxxx/L=xxxx/O=Rancher Lab/CN=rancher.rancher.lab
issuer=/C=xxxxx/ST=xxxxx/O=Rancher Lab/CN=Rancher Lab Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3497 bytes and written 459 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E114DE78362C31BFDE1CF65AF8770816CE5DBF8A8CA1151D03BC12E6C3B0ADB5
Session-ID-ctx:
Master-Key: 1FEEC6E31471D14B4858C13990DB961E3EAB2674E18D1E3DAEB57B5519FBAB4B4A71EE3E7F17CFE95989B5BAA3212C2F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 2b e0 5a 5a 75 b2 7b e8-7d f0 05 a0 a6 3c 0d 74 +.ZZu.{.}....<.t
0010 - 8d a9 36 34 85 18 40 0c-c2 ba 0f 59 6e 96 e6 62 ..64..@....Yn..b
0020 - a6 e9 51 2a 36 c7 1b 3b-cf 0b 79 5f 8a 0c 3c f1 ..Q*6..;..y_..<.
0030 - 0e 99 3f 99 b8 44 8d b8-70 f8 95 9d f3 cd 71 71 ..?..D..p.....qq
0040 - db bc 81 e2 e4 53 b4 ee-29 7d d5 67 97 88 8f 66 .....S..)}.g...f
0050 - 76 01 9e 8a fc bf ee 3b-4e 36 82 b7 8e f5 cb a3 v......;N6......
0060 - 1b 5a 13 13 02 aa 9e de-1b a6 06 71 fb 55 e4 30 .Z.........q.U.0
0070 - 03 52 0b 2a c0 3e ae 23-a6 39 19 a7 ef 30 09 e4 .R.*.>.#.9...0..
0080 - 2f 3f 98 27 a8 dc e5 8c-ee 7f 0e d0 8c 60 aa e7 /?.'.........`..
0090 - e1 57 cd 01 f2 eb 97 97-9d 39 26 32 7c f6 e1 e2 .W.......9&2|...
00a0 - df 4d 13 6c 91 8c bd a3-62 19 82 65 ce 2e 7f a8 .M.l....b..e....
00b0 - 19 9e 2d 8a d1 f4 42 53-f4 a3 5d f6 ed 3c 11 2f ..-...BS..]..<./
Start Time: 1539265840
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Issuer: C=xxxxx, ST=xxxxx, O=Rancher Lab, CN=Rancher Lab Intermediate CA
Validity
Not Before: Oct 8 07:34:26 2018 GMT
Not After : Oct 18 07:34:26 2019 GMT
Subject: C=xxxxx, ST=xxxxx, L=xxxx, O=Rancher Lab, CN=rancher.rancher.lab
Is it a problem that the x509 subject alternative name is missing (ERR: No Subject Alternative Name(s) (SANs) found)? The cert was generated using the script at https://gist.github.com/superseb/175476a5a1ab82df74c7037162c64946#create-self-signed-certificates.
I had to execute the rancher-check.sh script multiple times to get a PONG-response. Most times, it failed:
root@node1:~# ./rancher-check.sh rancher.rancher.lab
OK: DNS for rancher.rancher.lab is 192.168.33.14
ERR: Response from rancher.rancher.lab/ping is not pong:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 194 100 194 0 0 19134 0 --:--:-- --:--:-- --:--:-- 21555
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 11 Oct 2018 13:58:06 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://rancher.rancher.lab/ping
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>