This message was deleted.
# rke2a
adamant-kite-43734
08/11/2023, 7:07 PMThis message was deleted.
a
acoustic-addition-45641
08/11/2023, 7:20 PMIs this an RKE2 cluster created by Rancher manager? And, if so, does Rancher manager have a public cert?
I ran into the same issue on my Rancher manager cluster that had a public cert hosted upstream on an NGINX instance (performing SSL offload for the Rancher cluster). Turned out that I had chained the certificate wrong. While visiting the Rancher web site would not show a cert error, the remote agents on the downstream clusters would not accept the certs.
I ended up checking my Rancher manager cert by running the manager URL through https://www.ssllabs.com/ssltest and adjusting my cert chaining until I got an "A" rating on the site.
Your situation may be different though.
s
swift-sunset-4572
08/11/2023, 8:07 PMby rancher manager you mean the ui right ?
swift-sunset-4572
08/11/2023, 8:08 PMi am using a private ca
a
acoustic-addition-45641
08/11/2023, 8:08 PMCorrect.
acoustic-addition-45641
08/11/2023, 8:08 PMAh, okay. So not Cert Manager or a public CA.
s
swift-sunset-4572
08/11/2023, 8:09 PMi have a cert manager installed as an initial setup but need to add a private ca
a
acoustic-addition-45641
08/11/2023, 8:12 PMMakes sense. Did you use Helm to install Rancher? Assuming you have not already done so, you might update the Helm install with the "additionalTrustedCAs" option. Ref:
https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options#additional-trusted-cas
s
swift-sunset-4572
08/11/2023, 8:12 PMno i used the commands to install the rke2 automation with ansible
swift-sunset-4572
08/11/2023, 8:13 PMkubectl -n cattle-system create secret generic tls-ca-additional --from-file=ca-additional.pem=./ca-additional.pem
swift-sunset-4572
08/11/2023, 8:13 PMthis is something i added
swift-sunset-4572
08/11/2023, 8:13 PMwhat it did is basically it made my rancher url connectino secure
swift-sunset-4572
08/11/2023, 8:13 PMbut the downstream nodes are not able to communicate
swift-sunset-4572
08/11/2023, 8:13 PMwith rancher showing the screenshot errorr
a
acoustic-addition-45641
08/11/2023, 8:21 PM👍 Unfortunately, I'm not as familiar with Ansible (hoping to get there someday). When I went with a public CA on Rancher, all I needed to do was update my Helm install with a TLS external option (due to external SSL offload).
Sounds like what you are trying is the "Certificates from files" option in the Rancher guide:
https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster
But I'm not sure how to do that using Ansible.
s
swift-sunset-4572
08/11/2023, 8:22 PMso i basically used these commands
Copy code
Master Node configuration
curl -sfL <https://get.rke2.io> | sh -
systemctl enable rke2-server.service
systemctl start rke2-server.service
systemctl status rke2-server.service
cd /usr/local/bin
cp /var/lib/rancher/rke2/bin/kubectl .
cp /var/lib/rancher/rke2/bin/crictl .
kubectl get nodes
Token is in --> cat /var/lib/rancher/rke2/server/node-token
cp /var/lib/rancher/rke2/bin/* /usr/local/bin/
Rancher Add the master node to the existing one -
curl -sfL <https://get.rke2.io> | INSTALL_RKE2_TYPE="server" sh -
systemctl enable rke2-server.service
mkdir -p /etc/rancher/rke2/
vim /etc/rancher/rke2/config.yaml --->
server: <https://atl20er8k8poc01.amer.prgx.com:9345>
token: K101d1721c1d7f2e6f0010076a43575dda9421f95a59c06cd401d0869fba8f8e4e5::server:d3271e27614df319d859be7ec0261cd2
systemctl start rke2-server.service
systemctl status rke2-server.service32 Views