SSL certificate is not downloaded on agent

Hi, I installed rancher 2.5.9 in single mode “docker” as below. Service rose and normal and Signed by a Recognized CAenabled.
but when I’m going to add a node it can’t communicate. I saw on the forum that he is not loading cacerts because of the variable CATTLE_CA_CHECKSUM which is empty. how to solve this problem?

docker run -d --restart=unless-stopped \
  -p 80:80 -p 443:443 \
  -v /<CERT_DIRECTORY>/<FULL_CHAIN.pem>:/etc/rancher/ssl/cert.pem \
  -v /<CERT_DIRECTORY>/<PRIVATE_KEY.pem>:/etc/rancher/ssl/key.pem \
  --privileged \
  rancher/rancher:v2.5.9 \
  --no-cacerts

It doesn’t need the CA certificate it is signed by a recognized Authority, what CA is your certificate from? The agent logging should show you a whole lot of text describing what certificate was found and why it can’t be validated.

Issued by “Sectigo RSA Organization validation secure server ca”.
Below is what I did, and the agent’s log.

1- Convert .crt to .pem
-----BEGIN CERTIFICATE-----
MIIG+zCCBeOgAwIBAgIQMnrB

70ppwgVoz7Sb4XxWOPeX
-----END CERTIFICATE -----

2- convert .key to .pem
-----BEGIN RSA PRIVATE KEY -----
MIIEpQIBAAKCAQEAwjPVaToZehVyE

f2iL8rNzozLr8jtLs4=
-----END RSA PRIVATE KEY -----

ERROR LOG

2021-09-21 17:33:21.030568 I | embed: rejected connection from “192.168.0.52:55678” (error “tls: failed to verify client’s certificate: x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “kube-ca”)”, ServerName “”)

Pretty sure that is the log of the etcd container, and not the agent. Can you share the full log?

The error you are showing is 99% of the time that the host you are adding to a cluster has been added before and contains old files which conflict with the new cluster. What to clean is described on Rancher Docs: Removing Kubernetes Components from Nodes

If the agent is not working, please share the full agent log.

Problem solved, it was my full chain, which was in the wrong order.
correct form:
-----BEGIN CERTIFICATE-----
… (your primary SSL certificate)
-----END CERTIFICATE -----
-----BEGIN CERTIFICATE-----
… (the intermediate CA certificate)
-----END CERTIFICATE -----
-----BEGIN CERTIFICATE-----
… (the trusted root certificate)
-----END CERTIFICATE -----
-----BEGIN RSA PRIVATE KEY -----
… (your server key from mycaservercertkeyrsa.pem)
----- END RSA PRIVATE KEY -----