My rancher initially setup for my homelab, where my internal net is 192.168.1.0/24, and using rancher self-signed cert.
Recently, I added a nebula (from slack) overlay VPN (192.168.211.0/24) on the host and hoping to use it to setup another k3s cluster remotely.
But when I deploy the cattle-cluster-agent, seeing the cert not valid when access rancher over the nebula interface…
How can I fix this? I supposed I can re-issue the rancher’s cert?
INFO: Environment: CATTLE_ADDRESS=10.42.1.14 CATTLE_CA_CHECKSUM=fa57ff42c48de01fdc9a271a3b57e88cd7a7713be44f2320866b2977f96d0690 CATTLE_CLUSTER=true CATTLE_FEATURES= CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-686bc595df-77vr6 CATTLE_SERVER=https://192.168.211.xx:8443
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local nameserver 10.43.0.10 options ndots:5
INFO: https://192.168.211.xx:8443/ping is accessible
INFO: Value from https://192.168.211.xx:8443/v3/settings/cacerts is an x509 certificate
time=“2021-04-02T19:19:11Z” level=info msg=“Rancher agent version v2.5.7 is starting”
time=“2021-04-02T19:19:11Z” level=info msg=“Listening on /tmp/log.sock”
time=“2021-04-02T19:19:12Z” level=info msg=“Certificate details from https://192.168.211.xx:8443”
time=“2021-04-02T19:19:12Z” level=info msg=“Certificate #0 (https://192.168.211.xx:8443)”
time=“2021-04-02T19:19:12Z” level=info msg=“Subject: CN=dynamic,O=dynamic”
time=“2021-04-02T19:19:12Z” level=info msg=“Issuer: CN=cattle-ca,O=the-ranch”
time=“2021-04-02T19:19:12Z” level=info msg=“IsCA: false”
time=“2021-04-02T19:19:12Z” level=info msg=“DNS Names: [centos-1.home.net centos-1.nebula.home.net]”
time=“2021-04-02T19:19:12Z” level=info msg=“IPAddresses: [127.0.0.1 172.17.0.2 172.17.0.3 192.168.211.1]”
time=“2021-04-02T19:19:12Z” level=info msg=“NotBefore: 2019-01-08 03:16:26 +0000 UTC”
time=“2021-04-02T19:19:12Z” level=info msg=“NotAfter: 2021-11-12 17:22:44 +0000 UTC”
time=“2021-04-02T19:19:12Z” level=info msg=“SignatureAlgorithm: SHA256-RSA”
time=“2021-04-02T19:19:12Z” level=info msg=“PublicKeyAlgorithm: ECDSA”
time=“2021-04-02T19:19:12Z” level=info msg=“Certificate details for /etc/kubernetes/ssl/certs/serverca”
time=“2021-04-02T19:19:12Z” level=info msg=“Certificate #0 (/etc/kubernetes/ssl/certs/serverca)”
time=“2021-04-02T19:19:12Z” level=info msg=“Subject: CN=cattle-ca,O=the-ranch”
time=“2021-04-02T19:19:12Z” level=info msg=“Issuer: CN=cattle-ca,O=the-ranch”
time=“2021-04-02T19:19:12Z” level=info msg=“IsCA: true”
time=“2021-04-02T19:19:12Z” level=info msg=“DNS Names: ”
time=“2021-04-02T19:19:12Z” level=info msg=“IPAddresses: ”
time=“2021-04-02T19:19:12Z” level=info msg=“NotBefore: 2019-01-08 03:16:26 +0000 UTC”
time=“2021-04-02T19:19:12Z” level=info msg=“NotAfter: 2029-01-05 03:16:26 +0000 UTC”
time=“2021-04-02T19:19:12Z” level=info msg=“SignatureAlgorithm: SHA256-RSA”
time=“2021-04-02T19:19:12Z” level=info msg=“PublicKeyAlgorithm: RSA”
time=“2021-04-02T19:19:12Z” level=fatal msg=“Get "https://192.168.211.xx:8443": x509: certificate is valid for 127.0.0.1, 172.17.0.2, 172.17.0.3, 192.168.211.1, not 192.168.211.xx”