Rancher TLS issue on K8S environment

Rancher Versions: v1.2.2 v1.3 v1.3.1

Docker Version: 0.12.6

OS and where are the hosts located? (cloud, bare metal, etc): ubuntu16.04

Setup Details: (single node rancher vs. HA rancher, internal DB vs. external DB) single node rancher

Environment Type: (Cattle/Kubernetes/Swarm/Mesos) Kubernetes

Steps to Reproduce:
Rancher server started behind nginx container and nginx has SSL enabled. I use private CA. When I add the first host to rancher, I put ca.crt to /var/lib/rancher/etc/ssl then start rancher-agent. Rancher related containers can be successfully created, but when to create “kubernetes-controller-manager-1”, “kubernetes-kubectld-1” and “kubernetes-kubelet-1” , they were all failed to start:

1/17/2017 7:10:32 PMtime=“2017-01-17T11:10:32Z” level=fatal msg="Failed to listen to events: Get https://rancher.demo.com/v1: x509: certificate signed by unknown authority"
1/17/2017 7:10:40 PMtime=“2017-01-17T11:10:40Z” level=info msg="Starting kubectld on :8091"
1/17/2017 7:10:40 PMtime=“2017-01-17T11:10:40Z” level=info msg="Listening for health checks on 0.0.0.0:10240/healthcheck"
1/17/2017 7:10:40 PMtime=“2017-01-17T11:10:40Z” level=fatal msg="Failed to listen to events: Get https://rancher.demo.com/v1: x509: certificate signed by unknown authority"
1/17/2017 7:10:55 PMtime=“2017-01-17T11:10:55Z” level=info msg="Starting kubectld on :8091"
1/17/2017 7:10:55 PMtime=“2017-01-17T11:10:55Z” level=info msg="Listening for health checks on 0.0.0.0:10240/healthcheck"
1/17/2017 7:10:55 PMtime=“2017-01-17T11:10:55Z” level=fatal msg=“Failed to listen to events: Get https://rancher.demo.com/v1: x509: certificate signed by unknown authority”

So I’m wondering ca.crt will not be added to kubenetes containers? (my ca.crt was combined with root and intermediate ca certificates)

Thanks for the help.