Rancher 2 / ssl / recognized CA


I’m fairly new to rancher. I’ve decided to test drive a 3 server setup high availability cluster using a certificate signed by a well known certification authority. I edited the 3-node-certificate-recognizedca.yml, filling the nodes definitions, fqdn and pem/key of my signed cert then launching latest rke release.

That local cluster setup easily and I can see on my browser that it is using my own cert. Good.

Now I’m trying to setup another kubernetes cluster another set of virtual machines (using “non” as cloud provider). Problem is I the new cluster never get setup I always see the very same errors in the logs of the rancher-agent container :

level=error msg=“Failed to connect to proxy” error="x509: certificate signed by unknown authority"

I initially ignored the generated cacert in the settings menu. I now have removed it but trying again to set up a new remote cluster still does lead to the same error. Should I somehow restart the whole rancher cluster for that setting to be erased completely ?

One strange thing I found out, while the browser shows me a correct certificate running the following command to check the certificate return some obscure O=Acme Co/CN=Kubernetes Ingress Controller Fake certificate chain:
openssl s_client -showcerts -connect rancher.hopitalvs.ch:443

I am a bit lost.

1 Like

What CA is the cert from? If it shows the Ingress Controller certificate, it is not matching the virtual host in the ingress controller (rancher.hopitalvs.ch). What did you enter for host: and hosts: in the .yml file?

Sorry for the late reply I was abroad,

cert comes from a SwissSign CA and I used that same fqdn in the host: and hosts: fields as in the virtual host.

I had a similar issue when trying to setup a k8s cluster from my single rancher node setup. I was using a cert signed by my internal CA for rancher and got the same error from the deployment. I can’t explain why but setting my internal root CA certificate in the cacerts settings solved the issue. I had to delete and re-create the k8s cluster though (not the rancher-server).

Adding a catalog from an internally signed helm repo fails for the same reason. It would be nice if we could add our root ca without having to break our cluster as the cacerts replacement does.