This message was deleted.

You'll want to look at the documentation for your ingress controller on how to specify. I know for RKE2 that they use default nginx enough that you have to look at upstream docs to find how to change default cert. Side note if this is nginx, note that nginx-ingress & ingress-nginx are two different projects, so make sure you're on the right one.

its rke cluster and when i try access workernode like this https://ip_public_workernode , i see this :

I know nothing about RKE, just RKE2 & K3S, but it RKE follows the pattern then the answer you'd get from a rancher person about how to change the default certificate for your ingress controller is to check to upstream docs because they re-packaged the project but didn't really change it.

This is really an nginx question. The default backend is where it redirects you to when you attempt to access a resource that doesn't have a path associated to it in the ingress, as in, there is likely no actual entry in any ingress resource for host 'whatever your IP address is' with path '/', so you get the default backend, which is not going to serve a real certificate because it's not a real resource, just a place to sink 404s. To get a real certificate, you need to create a secret in the same namespace as the Ingress, of type tls with entries for tls.crt and tls.key, and give the secret name to the Ingress. It's usually easiest to automate this with cert-manager, but if you're issuing certificates yourself, read the documentation for your ingress controller.

so if i understand, i create a secret tls in ns ingress-nginx and after that i need to do this :

Ah yeah, I see what you're saying, in order to provide your own certificate for the default backend, not for an actual Ingress. Yes, this is in the values passed to nginx ingress controller Helm chart, which Rancher allows you to pass via the cluster.yml file since it bakes in a customized chart as a default ingress controller for RKE and RKE2 clusters.