Hi all, we’re using Rancher 2.4 at present, with cert-manager 0.13.1. In our test configurations we enable the use of the LetsEncrypt staging site to avoid issues with rate-limiting, and the cattle-node and cattle-agent pods can’t verify the certs as expected; however, when follow the directions on the Rancher site to use additional trusted CAs as documented here, I still see

unknown-authority

failures during the SSL handshake. To create the

tls-ca-additional

secret, I’m curl’ing the LetsEncrypt intermediate and Root staging CAs from the site into a file, and using the kubectl command on the docs page to create the secret. From the snippet I’m including, it looks like the intermediate CA is signed by

Doctored Durian Root CA X3

, which is expired. But when I examine the generated cert for the service, and the intermediate CA that signed it, it doesn’t seem to reference that. Has anyone seen this before?