Unknown certificate authority

jehutyy · April 10, 2020, 2:09pm

Hi,

I installed a HA rancher by following the official documentation.

I choose to use my own self signed certificate which I generate as follow :

# openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt

then I continue the installation and add tls secret as shown here : https://rancher.com/docs/rancher/v2.x/en/installation/options/tls-secrets/

I wrote this script to automate the process :

#!/bin/bash

helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

if [ -f kube_config_cluster.yml ]; then
  kubectl \
    --kubeconfig kube_config_cluster.yml \
    create namespace cattle-system

  kubectl --kubeconfig kube_config_cluster.yml \
    -n cattle-system create secret tls tls-rancher-ingress \
      --cert=certs/tls.crt \
        --key=certs/tls.key

  helm --kubeconfig kube_config_cluster.yml install rancher rancher-stable/rancher --namespace cattle-system --set hostname=domain.foo --set ingress.tls.source=secret

fi

But It appears that the imported cluster does not bring cattle-cluster-agent and cattle-node-agent pods up. I get this error :

level=fatal msg="Certificate chain is not complete, 
please check if all needed intermediate certificates 
are included in the server certificate (in the correct order) 
and if the cacerts setting in Rancher either contains the correct CA 
certificate (in the case of using self signed certificates) 
or is empty (in the case of using a certificate signed by a recognized CA). 
Certificate information is displayed above. error: Get 
https://domain.foo: x509: certificate signed by unknown authority"

I would like to identify and correct what I’ve done wrong. For the moment I’m unable to bring the local imported cluster up.

superseb · April 10, 2020, 4:24pm

Please see https://rancher.com/docs/rancher/v2.x/en/installation/options/tls-secrets/#using-a-private-ca-signed-certificate and

If you are using a Private CA signed certificate , add --set privateCA=true to the command shown below.

from (https://rancher.com/docs/rancher/v2.x/en/installation/k8s-install/helm-rancher/#6-install-rancher-with-helm-and-your-chosen-certificate-option)

jehutyy · April 14, 2020, 9:19am

Thanks for you reply.
Do you confirm that after generating my self signed certificate, I have to copy the certificate to cacerts.pem and follow the instructions in the url you provided ?

I got everything working but I would like to know if this is the correct way to do it.

jgerry2002 · July 22, 2020, 6:44pm

I have the same problem. You asked about a Self Signed cert and the response was for a Private CA. What did you do to actually fix this issue?

eselvam · August 6, 2020, 5:47pm

Even if we enable private-ca in helm, and adding cacert using kubectl create tls, it is not working. however if you use openssl verify -CAfile ca.pem rancher.crt it is working fine.

We use ingress controller for SSL termination. So, I think some how it is getting cert from ingress controller default cert instead of the ingress resource cert. still checking…

Topic		Replies	Views
X509 Certificate signed by unknown authorities Rancher	2	2610	July 5, 2024
Certificate question Rancher	3	1633	June 4, 2020
New cluster stuck in provisioning state Rancher	0	1011	October 30, 2020
10-26-20 x509: certificate signed by unknown authority Rancher	5	11123	March 23, 2021
Rancher 2.2.7 Fresh Install - cacerts issues (self signed cert) Rancher	3	1879	February 29, 2020

Unknown certificate authority

Related topics