07/29/2022, 10:02 PM
I am trying to move and existing Harvester server connected to an old instance of a Rancher to a new instance of a Rancher. The new rancher is behind a Layer-4 Load Balancer. When I plug in the new
, the rancher shows Harvester cluster in Pending state and never connects. I have verified that I can ping the LB IP from the harvester server. The LB is forwarding requests to the rancher on ports 80, 443, 9345 (rancher_supervisor), 6443 (kube_api). These are all working correctly through the LB. Are there any other port listeners required for Harvester to communicate with rancher?


07/29/2022, 10:19 PM
we have this port list for inbound : but you could refer here for rancher ports as well just in case: what version of harvester and rancher are you currently using?


07/29/2022, 10:21 PM
I also looked at the yaml from the old and new rancher from the registration URL and the notable differences are: • new-rancher is v2.6.6. vs. old-rancher v.2.6.5. • new-rancher does not provide CATTLE_CA_CHECKSUM vs. old-rancher has a value for CATTLE_CA_CHECKSUM. • The Secret values (url and token) is different for both
I was able to identify and resolve the issue, but posting an update here so that others can understand how to troubleshoot issues with Harvester. Within the harvester UI on bottom left there is a link to support. Click on the link and click "Generate Support Bundle". This will collect all the different logs from Harvester pods etc., You can click the download button on the browser to fetch the logs to your local host. Unzip the file and there will be number of folders with various log files. In my case because the issue was with the registration agent I looked at the cattle-system folder and noticed a log file called cluster-register.log. Based on the following logs I was able to identify an issue with my Rancher certificates.
2022-08-01T17:02:50.821508376Z time="2022-08-01T17:02:50Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"<>\": x509: certificate signed by unknown authority"