Unknown certificate authority


I installed a HA rancher by following the official documentation.

I choose to use my own self signed certificate which I generate as follow :

# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt

then I continue the installation and add tls secret as shown here : https://rancher.com/docs/rancher/v2.x/en/installation/options/tls-secrets/

I wrote this script to automate the process :


helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

if [ -f kube_config_cluster.yml ]; then
  kubectl \
    --kubeconfig kube_config_cluster.yml \
    create namespace cattle-system

  kubectl --kubeconfig kube_config_cluster.yml \
    -n cattle-system create secret tls tls-rancher-ingress \
      --cert=certs/tls.crt \

  helm --kubeconfig kube_config_cluster.yml install rancher rancher-stable/rancher --namespace cattle-system --set hostname=domain.foo --set ingress.tls.source=secret


But It appears that the imported cluster does not bring cattle-cluster-agent and cattle-node-agent pods up. I get this error :

level=fatal msg="Certificate chain is not complete, 
please check if all needed intermediate certificates 
are included in the server certificate (in the correct order) 
and if the cacerts setting in Rancher either contains the correct CA 
certificate (in the case of using self signed certificates) 
or is empty (in the case of using a certificate signed by a recognized CA). 
Certificate information is displayed above. error: Get 
https://domain.foo: x509: certificate signed by unknown authority"

I would like to identify and correct what I’ve done wrong. For the moment I’m unable to bring the local imported cluster up.

Please see https://rancher.com/docs/rancher/v2.x/en/installation/options/tls-secrets/#using-a-private-ca-signed-certificate and

If you are using a Private CA signed certificate , add --set privateCA=true to the command shown below.

from (https://rancher.com/docs/rancher/v2.x/en/installation/k8s-install/helm-rancher/#6-install-rancher-with-helm-and-your-chosen-certificate-option)

Thanks for you reply.
Do you confirm that after generating my self signed certificate, I have to copy the certificate to cacerts.pem and follow the instructions in the url you provided ?

I got everything working but I would like to know if this is the correct way to do it.

I have the same problem. You asked about a Self Signed cert and the response was for a Private CA. What did you do to actually fix this issue?

Even if we enable private-ca in helm, and adding cacert using kubectl create tls, it is not working. however if you use openssl verify -CAfile ca.pem rancher.crt it is working fine.

We use ingress controller for SSL termination. So, I think some how it is getting cert from ingress controller default cert instead of the ingress resource cert. still checking…