the rancher server is using a self signed cert via cert manager

make sure you have only the required CA cert configured on the rancher side. and that it’s in the correct format.

I just verified that the

CATTLE_CA_CHECKSUM

env variable in the downstream cluster matches the checksum from the CA cert of the rancher server found with

curl -k -s -fL https://<rancher_server>/v3/settings/cacerts | jq -r .value | sha256sum | awk '{print $1}'

time="2024-12-04T19:35:34Z" level=info msg="Testing connection to https://<rancher_server> using trusted certificate authorities within: /etc/kubernetes/ssl/certs/serverca"
time="2024-12-04T19:35:34Z" level=error msg="Could not securely connect to https://<rancher_server>: Get \"https://<rancher_server>\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

does this mean I need to put certs in

etc/kubernetes/ssl/certs/serverca

of the downstream cluster I'm trying to import?

This has been resolved. For anyone curious, what I had to do was: • update rancher to use an SSL cert signed by a private CA (from a cert signed by cert-manager) - https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/update-rancher-certificate#updating-a-pr[…]ca-certificate • updated proxy host's nginx config to look like the reference from https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/configure-layer-7-nginx-load-balancer#example-nginx-configuration