Rancher 2.2.7 Fresh 3 node HA installation completed. All is good with rancher admin cluster. Self Signed Cert imported into the ingress and i see the certificate in the browser.
When i went to import an already running cluster i see the below error in the cattle agent logs in that cluster
time=“2019-08-14T22:05:16Z” level=info msg=“Connecting to proxy” url=“wss://rancher.xxx.xxx.com/v3/connect/register”
time=“2019-08-14T22:05:16Z” level=error msg=“Failed to connect to proxy” error=“x509: certificate signed by unknown authority”
My thought process was then to import the rest of the chain into the Rancher cacerts directive, so i recreated the deployment yaml with --set additionalTrustedCAs=true, added the secret to the cattle-system namespace, and then deleted and redeployed the rancher deployment. I see the file with intermediate and root cert is there in the pod.
When the pods came back up i still see v3/settings/cacerts is empty … is this the cause of my issue? if so how do i get around this.
INFO: Environment: CATTLE_ADDRESS=xxx.xx.x.xx CATTLE_AGENT_CONNECT=true CATTLE_CA_CHECKSUM=fcd8f9a9f78727beb0fb8a6629500fcbdb0c1e0dd6c7388d779a15a0fe5cb86b CATTLE_CLUSTER=false CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=ixxxx CATTLE_SERVER=https://rancher-xxx.xxx.xxx
INFO: Using resolv.conf: nameserver xxx.xx.x.xx search us-west-2.compute.internal
INFO: https://rancher-xx.xxx.xxx/ping is accessible
INFO: rancher-xxx.xx.xx resolves to xx.x.x.x
ERROR: The environment variable CATTLE_CA_CHECKSUM is set but there is no CA certificate configured at https://rancher-xx.xxx.xx/v3/settings/cacerts
logs from cert-manager is
I0229 08:32:24.144540 1 controller.go:171] certificates controller: syncing item ‘cattle-system/tls-rancher-ingress’
I0229 08:32:24.144799 1 sync.go:312] Preparing certificate cattle-system/tls-rancher-ingress with issuer
I0229 08:32:24.144810 1 sync.go:319] Renewing certificate…
I0229 08:32:24.145193 1 sync.go:206] Certificate cattle-system/tls-rancher-ingress scheduled for renewal in -767 hours
E0229 08:32:24.145255 1 controller.go:180] certificates controller: Re-queuing item “cattle-system/tls-rancher-ingress” due to error processing: error creating x509 certificate: x509: only RSA and ECDSA public keys supported
I are using the default rancher issued seld signced certificates.