This message was deleted.
# rancher-desktop
a
This message was deleted.
w
looks like a proxy issue. basically it doesn't trust the self-signed of the proxy
i
man im so bad with proxys, do you have any advice as to what i could do or try?
w
so is the signing CA in your keychain or windows cred store?
i
should be my keychain
i
im on windows but also a little confused what that thread is saying
w
so what are the logs saying?
i
Copy code
2024-07-30T18:56:14.847Z: Registered distributions: 
2024-07-30T18:56:15.203Z: Registered distributions:
that is it.
w
there should be a bunch of logs?
i
oh i looked into the k8s.log and it is showing this: 2024-07-30T185610.059Z: Error reading cached version data, discarding: [Error: ENOENT: no such file or directory, open 'C:\Users\tgfan\AppData\Local\rancher-desktop\cache\k3s-versions.json'] { errno: -4058, code: 'ENOENT', syscall: 'open', path: 'C:\\Users\\tgfan\\AppData\\Local\\rancher-desktop\\cache\\k3s-versions.json' } 2024-07-30T185611.514Z: Error reading cached version data, discarding: [Error: ENOENT: no such file or directory, open 'C:\Users\tgfan\AppData\Local\rancher-desktop\cache\k3s-versions.json'] { errno: -4058, code: 'ENOENT', syscall: 'open', path: 'C:\\Users\\tgfan\\AppData\\Local\\rancher-desktop\\cache\\k3s-versions.json' } 2024-07-30T185611.514Z: Updating release version cache with 0 items in cache 2024-07-30T185612.794Z: updateCache: error: FetchError: request to https://update.k3s.io/v1-release/channels failed, reason: unable to get local issuer certificate 2024-07-30T185612.807Z: FetchError: request to https://update.k3s.io/v1-release/channels failed, reason: unable to get local issuer certificate
w
so if you hit https://update.k3s.io/v1-release/channels in a browser who signed the Certificate? and is it an internal CA?
i
let me check
yea it looks like it was issued by a internal organization
issued to k3s.io which is kerberos
gonna try adding a proxy-url to config file
w
so no k3s.io is the mini k8s distribution offered by rancher
krb5 would be a common thing related to kerberos
i
gotcha
w
the iisued by is what you care about. if its not a big internet CA or has your company name in the middle its doing TLS interception and has been replaced
the trick is getting node fetch to trust that CA
i
yea i see now. you are right, it has my company name in the middle
what does that mean for me?
w
so do you see a mathing certificate in your keychain/login/certificates?
that Issue has some of the challenges getting an env var into the scope of an app and i deal with this often and have not had this issue as i thought RD handled this case
i
thanks for being patient with me
i don't see keychain/login/certificates
w
all good. as i said this is far from my first rodeo.
i
im on windows and i am looking in my trusted root certificate authorities
w
ohh sorry
you said keychain so went to mac
so windows credential manager
i
yep
w
actually sorry resetting brain. machine certificates
trusted root certificate authorities\certificates
i
yep im there
w
you should see the same name in the "Issued by" in that list
i
i dont see an exact match of cert.company.gov in there but i see some "company root CA" in there.
w
yeah can never remember what attribute to match on
i
i don't see any of these certificates being issued to the k3s.io we saw through the link
we opened earlier
w
ok, quit RD, so open a CMD window and
set node_tls_reject_unauthorized=0
and then run RD's exe from the same window
and yup its not the name of the endpoint, but the issuer of the cert.
thats how you establish TLS trust.
you trust the issuer so any certs it issues are good. so we need to get fetch to trust the issuer as well or disable it
i
the command you gave me didn't change the behavior
w
yeah fetch is always a bit finnicky and i don't know if there is a client wrapper at play as well
i would try to use your browser and see if you can manually bootstrap the init part
using the airgap doc
i
so complicated
w
@proud-jewelry-46860 may have some thoughts on windows node fetch and self-signed from a proxy intercept. i am guessing the VM centric parts might be ok, but the host side fetch might need another nudge
yeah breaking internet security tends to break a lot of things that try and avoid that
what is a head scratcher for me is why i have not had this issue personally. thats why i thought the CA for the proxy was not in the Trusted list.
i
hm
im actually just going to deprecate to 1.12.3 and go up to the current version from there
ill let u know how that goes
downloading kubernetes components just fine on the earlier build
👍 1
w
sounds like a regression. i would say https://github.com/rancher-sandbox/rancher-desktop/issues is a good place to drop that. provide the deets on what version you were trying to install, which one you did install, and the issues with init being able to fetch the channels due to CA mistrust
1