SSL certificate is not downloaded on agent

Claudio_Souza · September 23, 2021, 3:19am

Hi, I installed rancher 2.5.9 in single mode “docker” as below. Service rose and normal and Signed by a Recognized CAenabled.
but when I’m going to add a node it can’t communicate. I saw on the forum that he is not loading cacerts because of the variable CATTLE_CA_CHECKSUM which is empty. how to solve this problem?

docker run -d --restart=unless-stopped \
  -p 80:80 -p 443:443 \
  -v /<CERT_DIRECTORY>/<FULL_CHAIN.pem>:/etc/rancher/ssl/cert.pem \
  -v /<CERT_DIRECTORY>/<PRIVATE_KEY.pem>:/etc/rancher/ssl/key.pem \
  --privileged \
  rancher/rancher:v2.5.9 \
  --no-cacerts

superseb · September 23, 2021, 10:44am

It doesn’t need the CA certificate it is signed by a recognized Authority, what CA is your certificate from? The agent logging should show you a whole lot of text describing what certificate was found and why it can’t be validated.

Claudio_Souza · September 23, 2021, 1:55pm

Issued by “Sectigo RSA Organization validation secure server ca”.
Below is what I did, and the agent’s log.

1- Convert .crt to .pem
-----BEGIN CERTIFICATE-----
MIIG+zCCBeOgAwIBAgIQMnrB
…
70ppwgVoz7Sb4XxWOPeX
-----END CERTIFICATE -----

2- convert .key to .pem
-----BEGIN RSA PRIVATE KEY -----
MIIEpQIBAAKCAQEAwjPVaToZehVyE
…
f2iL8rNzozLr8jtLs4=
-----END RSA PRIVATE KEY -----

ERROR LOG
…
2021-09-21 17:33:21.030568 I | embed: rejected connection from “192.168.0.52:55678” (error “tls: failed to verify client’s certificate: x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “kube-ca”)”, ServerName “”)

superseb · September 23, 2021, 3:46pm

Pretty sure that is the log of the etcd container, and not the agent. Can you share the full log?

The error you are showing is 99% of the time that the host you are adding to a cluster has been added before and contains old files which conflict with the new cluster. What to clean is described on Rancher Docs: Removing Kubernetes Components from Nodes

If the agent is not working, please share the full agent log.

Claudio_Souza · September 29, 2021, 5:08pm

Problem solved, it was my full chain, which was in the wrong order.
correct form:
-----BEGIN CERTIFICATE-----
… (your primary SSL certificate)
-----END CERTIFICATE -----
-----BEGIN CERTIFICATE-----
… (the intermediate CA certificate)
-----END CERTIFICATE -----
-----BEGIN CERTIFICATE-----
… (the trusted root certificate)
-----END CERTIFICATE -----
-----BEGIN RSA PRIVATE KEY -----
… (your server key from mycaservercertkeyrsa.pem)
----- END RSA PRIVATE KEY -----

Topic		Replies	Views
Cattle node agent - Certificate chain is not complete	1	3262	May 20, 2020
/v3/settings/cacerts does not look like an x509 certificate after upgrade to 2.1.0 from 2.0.8 Rancher 2.x	1	2007	October 14, 2018
Rancher agents not available after upgrade from 2.1.1 to 2.3.0 Rancher 2.x	10	7295	October 31, 2019
Rancher agent "x509: certificate signed by unknown authority" with DigiCert Rancher 2.x	1	1902	August 26, 2019
How to upgrade Rancher agents to use SSL? Rancher 1.x	3	3753	June 28, 2018

SSL certificate is not downloaded on agent

Related Topics