https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rke2
a
This message was deleted.
c
not really an rke2 question, but there are a bunch of hoops to jump through if you change the cert on rancher. I believe it is covered somewhere in the rancher docs.
👍 1
w
i'm in the middle of a rotation
the cert in the kubeconfig is
c
you’re not talking directly to the cluster, as the URL in the error shows, you’re talking to rancher
if you change the cert on rancher, you need to download a new kubeconfig that has the new cert in it
that is true for all clients, including the agents on downstream clusters
w
yep i did that. yep
c
do you need to include the LE root CA bundle in your cert? the error indicates that it doesn’t trust the issuer.
w
i mean LE should be trusted everywhere heh
especially ubuntu for kubectl
c
not in kubeconfigs
the root CA is included in the file, if you look at it
it does not use the system CA bundle
w
oh hmm
c
this isn’t a run of the mill web server here. its the apiserver, and kubernetes has specific ways of doing things. especially around PKI
w
i see
c
Copy code
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: XXXX
    server: <https://172.17.0.4:6443>
  name: default
the certificate-authority-data embedded in the cluster data in the kubeconfig is all that is used, the kubernetes client does not fall back to the OS ca trust bundle.
w
so, why would rancher give me a kubeconfig without the issuing ca crt?
c
possibly because you didn’t include a CA bundle when you updated the cert?
again, this is a rancher question and you’re in #rke2, I’m not a rancher dev, I work on rke2
w
so i just changed the issuer on the ingress
ok sorry
c
yeah, you can’t just change it on the ingress
w
tbf, i am using rke2 on the target cluster 😄
ahh
c
you need to go into Rancher and update the cert there
this is covered in the rancher docs
w
ty, i guess it's good the first step is to modify 
tls-rancher-ingress
😄
cause taht's what i did
c
yeah you got that part, but then you need to also update other bits also I believe
w
yep
c
so that it can put the right stuff in kubeconfigs
w
hmm ok i think also rancher only supports http letsencrypt versus dns. i'm using dns 😄
heh oh great, 
privateCA: false
was alreadys et in the chart
whoooee!!
thanks brandon!
c
👍
w
you rock btw, you always are helpful
side effect is upgrading rancher with helm 2 seconds
4 Views
Open in Slack
PreviousNext
Powered by