Rancher 2.2.7 Fresh Install - cacerts issues (self signed cert)

Rancher 2.2.7 Fresh 3 node HA installation completed. All is good with rancher admin cluster. Self Signed Cert imported into the ingress and i see the certificate in the browser.

Cluster initialized with the following :

./helm template …/…/rancher-2.2.7.tgz --output-dir ./v2 --name rancher --namespace cattle-system --set hostname=rancher.xxx.xxx.com --set rancherImage=myrepo.xxx.xxx.com/rancher/rancher --set ingress.tls.source=secret

When i went to import an already running cluster i see the below error in the cattle agent logs in that cluster

time=“2019-08-14T22:05:16Z” level=info msg=“Connecting to proxy” url=“wss://rancher.xxx.xxx.com/v3/connect/register”
time=“2019-08-14T22:05:16Z” level=error msg=“Failed to connect to proxy” error=“x509: certificate signed by unknown authority”

My thought process was then to import the rest of the chain into the Rancher cacerts directive, so i recreated the deployment yaml with --set additionalTrustedCAs=true, added the secret to the cattle-system namespace, and then deleted and redeployed the rancher deployment. I see the file with intermediate and root cert is there in the pod.

When the pods came back up i still see v3/settings/cacerts is empty … is this the cause of my issue? if so how do i get around this.


I am having the same issue with 2.2.8. were you able to fix this problem


Please share the exact commands you used and what errors you are seeing.

Mine is not a fresh install. it is running for almost a year.

I have upgraded to 2.2.8 version recently.

I rotated the certs since it was expired yesturday. Below are the details

INFO[0000] Running RKE version: v1.0.4
Server Version: version.Info{Major:“1”, Minor:“11”, GitVersion:“v1.11.5”, GitCommit:“753b2dbc622f5cc417845f0ff8a77f539a4213ea”, GitTreeState:“clean”, BuildDate:“2018-11-26T14:31:35Z”, GoVersion:“go1.10.3”, Compiler:“gc”, Platform:“linux/amd64”}

logs from cattle-agent

INFO: Environment: CATTLE_ADDRESS=xxx.xx.x.xx CATTLE_AGENT_CONNECT=true CATTLE_CA_CHECKSUM=fcd8f9a9f78727beb0fb8a6629500fcbdb0c1e0dd6c7388d779a15a0fe5cb86b CATTLE_CLUSTER=false CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=ixxxx CATTLE_SERVER=https://rancher-xxx.xxx.xxx
INFO: Using resolv.conf: nameserver xxx.xx.x.xx search us-west-2.compute.internal
INFO: https://rancher-xx.xxx.xxx/ping is accessible
INFO: rancher-xxx.xx.xx resolves to xx.x.x.x
ERROR: The environment variable CATTLE_CA_CHECKSUM is set but there is no CA certificate configured at https://rancher-xx.xxx.xx/v3/settings/cacerts

logs from cert-manager is

I0229 08:32:24.144540 1 controller.go:171] certificates controller: syncing item ‘cattle-system/tls-rancher-ingress’
I0229 08:32:24.144799 1 sync.go:312] Preparing certificate cattle-system/tls-rancher-ingress with issuer
I0229 08:32:24.144810 1 sync.go:319] Renewing certificate…
I0229 08:32:24.145193 1 sync.go:206] Certificate cattle-system/tls-rancher-ingress scheduled for renewal in -767 hours
E0229 08:32:24.145255 1 controller.go:180] certificates controller: Re-queuing item “cattle-system/tls-rancher-ingress” due to error processing: error creating x509 certificate: x509: only RSA and ECDSA public keys supported

I are using the default rancher issued seld signced certificates.