https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rke2
a
This message was deleted.
s
Any help on this will be appreciated please
c
that’s not the full error message. what did you cut out.
s
error msg="CA cert validation failed: Get \"https://127.0.0.1:6444/cacerts\": tls: failed to  msg="CA cert validation failed: Get \"https://127.0.0.1:6444/cacerts\": tls: failed to verify certificate: x509: cannot validate certificate for 127.0.0.1 but valid for 10.10.70.12:9345"
I tried doing curl on https://127.0.0.1:6444/cacerts and it gives me the ssl error although when i try to bypass it using the “-k” it prints the same cert as the https://10.10.70.12:9345/cacerts
c
Are you offloading SSL to the load-balancer?
You’re still missing bits out of that error message. The cert on the servers should include localhost, 127.0.0.1, the server names and IPs, and a bunch of other things in the SAN.
The fact that it doesn’t suggests that you’re offloading SSL to the load-balancer and are using a cert that doesn’t have all the right entries on the SAN
Make sure your load-balancer isn’t offloading SSL and/or http. It should be just a bare TCP load-balancer.
s
@creamy-pencil-82913 here is the full error i got in rke2-agent service 
CA cert validation failed: Get \"<https://127.0.0.1:6444/cacerts\>": tls: failed to verify certificate: x509: certificate is valid for 10.10.70.12, not 127.0.0.1"
Also the config.yaml i created for worker node in /etc/rancher/rke2 have only the below content Server: https://10.10.7.12:9345 Token: token
c
yeah. looks like you’re terminating TLS on the load-balancer. Don’t do that.
s
Okay i am gonna try having ssl offloading disable on this and test the worker node
147 Views
Open in Slack
PreviousNext
Powered by