Unready status on cattle-cluster-agent

Hello.
I have cattle-cluster-ready in unready status. Restart of container does not help. Here is the log, something with cert chain:

INFO: Environment: CATTLE_ADDRESS=10.42.1.171 CATTLE_CA_CHECKSUM= CATTLE_CLUSTER=true CATTLE_INTERNAL_ADDRESS= CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-5dcd9c744d-d5t4z CATTLE_SERVER=https://192.168.100.15
INFO: Using resolv.conf: nameserver 10.43.0.10 search cattle-system.svc.cluster.local svc.cluster.local cluster.local openstacklocal options ndots:5
INFO: https://192.168.100.15/ping is accessible
time="2019-11-21T07:39:28Z" level=info msg="Rancher agent version v2.3.2 is starting"
time="2019-11-21T07:39:28Z" level=info msg="Listening on /tmp/log.sock"
time="2019-11-21T07:39:28Z" level=info msg="Certificate details from https://192.168.100.15"
time="2019-11-21T07:39:28Z" level=info msg="Certificate #0 (https://192.168.100.15)"
time="2019-11-21T07:39:28Z" level=info msg="Subject: CN=cattle,O=the-ranch"
time="2019-11-21T07:39:28Z" level=info msg="Issuer: CN=cattle-ca,O=the-ranch"
time="2019-11-21T07:39:28Z" level=info msg="IsCA: false"
time="2019-11-21T07:39:28Z" level=info msg="DNS Names: []"
time="2019-11-21T07:39:28Z" level=info msg="IPAddresses: [168.70.37.116 188.68.33.224 192.168.100.15 185.252.90.14 127.0.0.1 74.125.193.138 173.194.73.113 112.35.66.7 89.208.85.139 47.92.7.135 83.143.86.62 64.233.161.100 122.3.89.189 112.35.88.28 5.188.210.101 82.146.38.46 36.77.209.10 123.125.114.144 172.217.7.14 36.85.208.230]"
time="2019-11-21T07:39:28Z" level=info msg="NotBefore: 2019-04-09 10:17:44 +0000 UTC"
time="2019-11-21T07:39:28Z" level=info msg="NotAfter: 2020-11-18 03:59:00 +0000 UTC"
time="2019-11-21T07:39:28Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2019-11-21T07:39:28Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2019-11-21T07:39:28Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get https://192.168.100.15: x509: certificate signed by unknown authority"

How can i fix it?

when you deployed the Rancher cluster with RKE, did you specify the cert to use and save that cert into a secret? Not doing that can cause this

also you will probably want to set hostname.

install like this (if using a private CA)
sudo helm install rancher-latest/rancher
–name rancher
–namespace cattle-system
–set hostname=your loadbalanced hostname
–set ingress.tls.source=secret
–set privateCA=true
–set additionalTrustedCAs=true
–set addLocal=false

To add the cert that matches your loadbalanced hostname (saved as tls.crt and tls.key):
kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key

to import your CA cert:
kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem

To import additional trusted CA’s (optional)
kubectl -n cattle-system create secret generic tls-ca-additional --from-file=ca-additional.pem

Initially, i don’t change anything in certs. Just deploy single-node rancher without DNS name, then create new custom cluster using docker run commands from GUI). I have a nginx reverse-proxy for accessing rancher GUI with https.

Some time ago, i had tried to change rancher server name to public DNS, using Let’s Encypt certs for https. With no success, my cluster lost connection to rancher server. I had restored from backup. It was few month ago, i do a few rancher and kubernetes upgrades from this time.

Probably this is an issue.

Here is a my old topic with no replies Switch to Let's Encrypt

In Rancher settings cacerts is empty:

So, I generate new self-signed certificates like described here (https://gist.github.com/superseb/f129ad4204ca119249db00965acf657a) and mount them to container /etc/rancher/ssl

So far, there are no agent restarts