I am new to rancher so I apologize if this is a newbie question.
My environment is like this:
- NGINX Loadbalancer (for accessing resources on both RKE clusters)=> this is where I have wildcard ssl certificate from trusted CA.
- 3 node RKE Cluster for Rancher.
- 3 node RKE cluster for application workloads.
We have bought new wildcard ssl certificate and I have replaced it on NGINX. The new certificate is from different issuer than the old one (before digicert, now Sectigo ).
When I change the certificate and key on NGINX the following happens:
- Rancher console and 3 Node cluster for rancher is normally accessible.
- Applications running on 3 node RKE cluster, for application workloads, are normally accessible.
- I can NOT access 3 node RKE cluster, for application workloads, from rancher console:
ERROR: Failed to ensure monitoring project name: failed to find “cattle-prometheus” Namespace: Get “https://xxx.xxx.xxx.xxx:6443/api/v1/namespaces/cattle-prometheus”: waiting for cluster [c-2nkqn] agent to connect
- I can not use kubectl to access or administer the 3 node RKE cluster, for application workloads.
kubectl get nodes
ERROR: Unable to connect to the server: x509: certificate signed by unknown authority
If I change the ssl certificate back to old one, everything is accessible again.
It seems that application rke cluster doesn’t want to access rancher using new ssl certificate.
Can anyone help me figure out where should I put root/intermididate cerst for the new certificate authority so this would work.
Thank you all for any help,