https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# general
a
This message was deleted.
a
attach a chain to a cert (inside same file)
--- main cert --- --- end cert --- --- chain cert #1 --- --- end cert --- --- etc #2 ---
other would be if you know where to add a cert to trust store, but I'm not familiar with that atm
m
@ambitious-plastic-3551 I did with the following order -- Key-- -- Cert -- -- intermediate -- -- root -- in a pem file
a
key is separate normally
in tls secret in kubernetes
m
just to clarify, I'm not using SSL certificate in K8s cluster or rancher secrets I'm using HAProxy with ssl configured, also installed rancher helm chart with those tags --set tls=external
should I add the certificate to the cluster I want to provision as well ?
a
if you have tls=external you have to provide your own perhaps?
m
yes and I'm able to fetch it and it's working with the certificate from the browser for rancher dashboard
but for cluster-agent
I get the certificate chain issue
also no issue using curl
a
oh yes
m
but the issue is only for the cattle-cluster-agent
a
kubectl thing provide CA in json, but is different one
k8s api has own cert, your haproxy has it's own cert
but they have to be the same CA imho
m
Copy code
kubectl -n cattle-system logs -f cattle-cluster-agent-7787f877fb-6s77v
INFO: Environment: CATTLE_ADDRESS=10.42.244.153 CATTLE_CA_CHECKSUM= CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=<tcp://10.43.113.232:80> CATTLE_CLUSTER_AGENT_PORT_443_TCP=<tcp://10.43.113.232:443> CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.43.113.232 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=<tcp://10.43.113.232:80> CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.43.113.232 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.43.113.232 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY=mrx-registry.vinfra.tech CATTLE_FEATURES=embedded-cluster-api=false,fleet=false,monitoringv1=false,multi-cluster-management=false,multi-cluster-management-agent=true,provisioningv2=false,rke2=false CATTLE_INGRESS_IP_DOMAIN=<http://sslip.io|sslip.io> CATTLE_INSTALL_UUID=5a874e1d-66c5-4252-a4c0-da373b6f9240 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-7787f877fb-6s77v CATTLE_RANCHER_WEBHOOK_VERSION=103.0.1+up0.4.2 CATTLE_SERVER=<https://XXXXXXXX> CATTLE_SERVER_VERSION=v2.8.0
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local nameserver 10.43.0.10 options ndots:5
INFO: <https://XXXXXXXX/ping> is accessible
INFO: XXXXXXXX resolves to 192.26.38.70
time="2024-01-04T10:10:26Z" level=info msg="Listening on /tmp/log.sock"
time="2024-01-04T10:10:26Z" level=info msg="Rancher agent version v2.8.0 is starting"
time="2024-01-04T10:10:26Z" level=info msg="Certificate details from <https://XXXXXXXX>"
time="2024-01-04T10:10:26Z" level=info msg="Certificate #0 (<https://XXXXXXXX>)"
time="2024-01-04T10:10:26Z" level=info msg="Subject: CN=XXXXXXXX,OU=IT,O=XXX,L=AD,ST=AD,C=US"
time="2024-01-04T10:10:26Z" level=info msg="Issuer: CN=AEV-100506-CA,0.9.2342.192000300.100.1.25=#130676696e667261,0.09.2342.19200300.100.1.25=#130474656368"
time="2024-01-04T10:10:26Z" level=info msg="IsCA: false"
time="2024-01-04T10:10:26Z" level=info msg="DNS Names: [XXXXXXXX]"
time="2024-01-04T10:10:26Z" level=info msg="IPAddresses: <none>"
time="2024-01-04T10:10:26Z" level=info msg="NotBefore: 2024-01-02 12:03:40 +0000 UTC"
time="2024-01-04T10:10:26Z" level=info msg="NotAfter: 2026-01-01 12:03:40 +0000 UTC"
time="2024-01-04T10:10:26Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2024-01-04T10:10:26Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2024-01-04T10:10:26Z" level=info msg="Certificate #1 (<https://XXXXXXXX>)"
time="2024-01-04T10:10:26Z" level=info msg="Subject: CN=AEV-105006-CA,0.9.2342.192000300.100.1.25=#130676696e667261,0.9.2342.19200300.100.1.25=#130474656368"
time="2024-01-04T10:10:26Z" level=info msg="Issuer: CN=AEV-DDDD-CA"
time="2024-01-04T10:10:26Z" level=info msg="IsCA: true"
time="2024-01-04T10:10:26Z" level=info msg="DNS Names: <none>"
time="2024-01-04T10:10:26Z" level=info msg="IPAddresses: <none>"
time="2024-01-04T10:10:26Z" level=info msg="NotBefore: 2021-09-21 13:48:50 +0000 UTC"
time="2024-01-04T10:10:26Z" level=info msg="NotAfter: 2026-09-21 13:58:50 +0000 UTC"
time="2024-01-04T10:10:26Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2024-01-04T10:10:26Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2024-01-04T10:10:26Z" level=info msg="Certificate #2 (<https://XXXXXXXX>)"
time="2024-01-04T10:10:26Z" level=info msg="Subject: CN=AEV-DDDD-CA"
time="2024-01-04T10:10:26Z" level=info msg="Issuer: CN=AEV-DDDD-CA"
time="2024-01-04T10:10:26Z" level=info msg="IsCA: true"
time="2024-01-04T10:10:26Z" level=info msg="DNS Names: <none>"
time="2024-01-04T10:10:26Z" level=info msg="IPAddresses: <none>"
time="2024-01-04T10:10:26Z" level=info msg="NotBefore: 2019-11-05 15:15:36 +0000 UTC"
time="2024-01-04T10:10:26Z" level=info msg="NotAfter: 2031-09-21 13:25:20 +0000 UTC"
time="2024-01-04T10:10:26Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2024-01-04T10:10:26Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2024-01-04T10:10:26Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"<https://XXXXXXXX>\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
this is the full log for the cattle-cluster-agent pod
a
is it only one intermediary?
curl may work because you have a CA somewhere, other than that it may also be problem of cache with pod
m
I have the pem file with this layout
-----BEGIN RSA PRIVATE KEY----- (Your Private Key: your_domain_name.key) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: DigiCertCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: TrustedRoot.crt) -----END CERTIFICATE-----
for haproxy
@ambitious-plastic-3551 I got it fixed
it was a very dump mistake ๐Ÿ˜„
a
awesome
thanks for letting me know
๐Ÿ™Œ 1
m
thanks man for your effort
even if I'm using external TLS I should create secret tls-ca with root only certificate also the filename should be cacerts.pem
๐Ÿ‘ 1
h
@modern-flag-12265 what and how did you fix this?
m
by creating a secret tls-ca contains the root certificate and the name of the file that you will create the secret with '--from-file' should be cacerts.pem
h
Ok got it ๐Ÿ‘ thanks
6 Views
Open in Slack
PreviousNext
Powered by