https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# harvester
a
This message was deleted.
b
Which IP are you using from the first node? The VIP? Or the first node's IP?
l
From my master node install configuration (I’m using ipxe to install):
Copy code
install:
  mode: create
  management_interface:
    interfaces:
    - name: enp3s0f0
    default_route: true
    method: dhcp
  device: /dev/sda
  iso_url: <http://192.168.13.1/assets/harvester/harvester-v1.2.1-amd64.iso>
  vip_mode: static
  vip: 192.168.13.200
and from the joiner:
Copy code
server_url: <https://192.169.13.200:443>
g
any chance we can see the full message?
l
Hi @great-bear-19718 Sorry for the delay. I was working through a KVM and I don’t like pasting screenshots. I have made no changes to the master node since it was deployed - just set the password and logged on to see all is well. These messages are from the joining node and are on a loop.
Copy code
Feb 29 14:06:35 harvester-gskcx rancherd[2429]: time="2024-02-29T14:06:35Z" level=info msg="Bootstrapping Rancher (v2.7.5/v1.25.9+rke2r1)"
Feb 29 14:07:10 harvester-gskcx rancherd[2429]: time="2024-02-29T14:07:10Z" level=info msg="failed to bootstrap system, will retry: generating plan: insecure cacerts download from <https://192.169.13.200:443/cacerts>: Get \"<https://192.169.13.200:443/cacerts>\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
Feb 29 14:07:25 harvester-gskcx rancherd[2429]: time="2024-02-29T14:07:25Z" level=info msg="Loading config file [/usr/share/rancher/rancherd/config.yaml.d/50-defaults.yaml]"
Feb 29 14:07:25 harvester-gskcx rancherd[2429]: time="2024-02-29T14:07:25Z" level=info msg="Loading config file [/usr/share/rancher/rancherd/config.yaml.d/91-harvester-bootstrap-repo.yaml]"
Feb 29 14:07:25 harvester-gskcx rancherd[2429]: time="2024-02-29T14:07:25Z" level=info msg="Loading config file [/etc/rancher/rancherd/config.yaml]"
The Master node configuration as presented during ipxe boot
Copy code
scheme_version: 1
token: mytoken
os:
  #hostname: harvester1
  ssh_authorized_keys:
  - ssh-rsa <<my public ssh key>>
  password: foobar
  ntp_servers:
  - <http://0.uk.pool.ntp.org|0.uk.pool.ntp.org>
install:
  mode: create
  management_interface:
    interfaces:
    - name: enp3s0f0
    default_route: true
    method: dhcp
  device: /dev/sda
  iso_url: <http://192.168.13.1/assets/harvester/harvester-v1.2.1-amd64.iso>
  vip_mode: static
  vip: 192.168.13.200
The Joiner node configuration as presented during ipxe boot:
Copy code
scheme_version: 1
server_url: <https://192.169.13.200:443>
token: mytoken
os:
  ssh_authorized_keys:
  - ssh-rsa <<my public ssh key>>
  password: foobar
  ntp_servers:
  - <http://0.uk.pool.ntp.org|0.uk.pool.ntp.org>
install:
  mode: join
  management_interface:
    interfaces:
    - name: enp3s0f0
    default_route: true
    method: dhcp
  device: /dev/sda
  iso_url: <http://192.168.13.1/assets/harvester/harvester-v1.2.1-amd64.iso>
The ipxe configuration for both node types
Copy code
:harvester_create
echo Booting Harvester Create installer
sleep 3
kernel <http://192.168.13.1/assets/harvester/harvester-v1.2.1-vmlinuz-amd64> ip=dhcp rd.net.dhcp.retry=3 rd.cos.disable rd.noverifyssl net.ifnames=1 root=live:<http://192.168.13.1/assets/harvester/harvester-v1.2.1-rootfs-amd64.squashfs> console=tty1 harvester.install.automatic=true harvester.install.skipchecks=true harvester.install.config_url=<http://192.168.13.1/assets/harvester/ipxe_harvester_create.conf>
initrd <http://192.168.13.1/assets/harvester/harvester-v1.2.1-initrd-amd64>
boot || goto back

:harvester_join
echo Booting Harvester Join installer
sleep 3
kernel <http://192.168.13.1/assets/harvester/harvester-v1.2.1-vmlinuz-amd64> ip=dhcp net.ifnames=1 rd.cos.disable rd.noverifyssl console=tty1 root=live:<http://192.168.13.1/assets/harvester/harvester-v1.2.1-rootfs-amd64.squashfs> harvester.install.automatic=true harvester.install.skipchecks=true harvester.install.config_url=<http://192.168.13.1/assets/harvester/ipxe_harvester_join.conf>
initrd <http://192.168.13.1/assets/harvester/harvester-v1.2.1-initrd-amd64>
boot || goto back
g
that error is more of second node being unable to reach the first one
rancherd downloads the cacerts from remote node on boot.. but error is about timing out trying to get headers
if you shell into the second node are you able to run a curl to the vip? https://192.169.13.200:443
l
Indeed I can:
Copy code
rancher@harvester-gskcx:~> curl -k <https://192.168.13.200:443>
<a href="/dashboard/">Found</a>.

rancher@harvester-gskcx:~> curl -k <https://192.168.13.200:443/cacerts>
-----BEGIN CERTIFICATE-----
MIIBvTCCAWOgAwIBAgIBADAKBggqhkjOPQQDAjBGMRwwGgYDVQQKExNkeW5hbWlj
bGlzdGVuZXItb3JnMSYwJAYDVQQDDB1keW5hbWljbGlzdGVuZXItY2FAMTcwOTIw
OTUyMDAeFw0yNDAyMjkxMjI1MjBaFw0zNDAyMjYxMjI1MjBaMEYxHDAaBgNVBAoT
E2R5bmFtaWNsaXN0ZW5lci1vcmcxJjAkBgNVBAMMHWR5bmFtaWNsaXN0ZW5lci1j
YUAxNzA5MjA5NTIwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK0RnsEOV2cgT
jnDQsH0Ie1iCOjc2QHNsmxYU8nCadQxrSRspz53YL8jjZ0sZaius7UKcjzlTv+aB
I7p1ulo2aaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFOqklULrVYeLHUzz4aI87YM4aWsVMAoGCCqGSM49BAMCA0gAMEUCID0T
HJc3/cP0fgFGHPP5q/kGWhF77eS5skRkJAzTjvzDAiEA3nzFsTkmfqpJU976YOze
pEeA0txdhfoIkvXi7Lph8dg=
-----END CERTIFICATE-----
The certificate on the server looks as I would expect. But how should the client trust it? Am I missing a configuration to trust self signed certs?
Copy code
harvester-l5nng:~ # echo | openssl s_client -showcerts -connect 192.168.13.200:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5456567922216833052 (0x4bb99f9d7886901c)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: O = dynamiclistener-org, CN = dynamiclistener-ca@1709209520
        Validity
            Not Before: Feb 29 12:25:20 2024 GMT
            Not After : Mar  1 09:14:03 2025 GMT
        Subject: O = dynamic, CN = dynamic
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:d6:c0:aa:bd:05:ee:48:96:04:00:c7:8c:99:14:
                    5c:b8:05:07:2f:7e:a3:4e:6d:af:ce:de:62:99:7c:
                    bb:dd:0a:0a:ab:b2:5d:22:d1:3b:fb:0f:27:62:43:
                    2a:af:c4:96:70:56:7c:50:18:35:47:fe:88:3d:02:
                    99:40:11:49:f7
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                keyid:EA:A4:95:42:EB:55:87:8B:1D:4C:F3:E1:A2:3C:ED:83:38:69:6B:15

            X509v3 Subject Alternative Name:
                IP Address:10.52.0.117, IP Address:10.52.0.4, IP Address:10.52.0.69, IP Address:10.53.106.118, IP Address:192.168.13.200
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:1b:56:17:40:b7:83:ad:7b:f0:40:b4:e9:62:87:
         ae:21:d6:ab:c3:fc:b8:55:a2:ca:cc:b6:5e:ad:e7:e1:a9:7d:
         02:20:4e:59:c4:93:47:d7:f4:1a:da:65:a6:ec:98:de:cd:4f:
         4e:7e:d7:33:39:6e:c8:f5:fb:dd:fa:62:26:8b:db:b3
g
rancherd will download and trust the cert
is there a proxy in the middle or something else?
l
No, it is a simple, flat network behind a router to keep it separate from everything else.
Hi @great-bear-19718 Thank you for your assistance. I came back to this issue yesterday and almost immediately discovered the problem…
2 Views
Open in Slack
PreviousNext
Powered by