This message was deleted.

Hmm that's interesting. I take it you're using custom CAs? This may not be handled very well at the moment.

Yes, we are generating our CAs using hashicorp vault.

Can you describe the CA structure you're using? Does it match what's recommended by our docs? I can try to repro and suggest a workaround if possible.

We are using the proposed Custom CA Topology, using a Root CA that signed our Vault Intermediate CA. The intermediate is then used to sign the leaf CAs using vault/sign-intermediate. We just removed the generation of the root and intermediate CAs from the k3s

generate-custom-ca-certs.sh

and replaced the leaf CA generation with a vault CLI call.