https://rancher.com/ logo
#general
Title
# general
l

late-vr-98727

09/21/2022, 9:12 AM
Hey folks! I have a rk2 based cluster on rancher (v2.6.7). I wanted to enable Authorized Cluster Endpoint , so I did
localClusterAuthEndpoint: enabled: true
. And then it did give me kubeconfig with all the master nodes info. But when I use once of the context defined in the kubeconfig. I get the following error
Unable to connect to the server: x509: certificate is valid for 127.0.0.1, ::1, 10.128.0.17, 10.43.0.1, not 98.190..
can anyone please help?
b

bright-whale-83501

09/21/2022, 9:22 AM
Hi. struggling with the exact same problem myself. I added a question in #rke2 thats related, and no answer.
I asume you have the fqdn context in your kubeconfig file, but no token
l

late-vr-98727

09/21/2022, 9:27 AM
I did not provide fqdn value , it is taking the downstream cluster server ip address!
b

bright-whale-83501

09/21/2022, 9:27 AM
that should probably work aswell.
but do you have a token or certificate for that context to authenticate with?
l

late-vr-98727

09/21/2022, 9:30 AM
yeah i have a
certificate-authority-data
,but it still throws the error
b

bright-whale-83501

09/21/2022, 9:30 AM
may I ask, did you add a CA in the form field in rancher?
l

late-vr-98727

09/21/2022, 9:31 AM
nope just enabled it to true and did not add CA
b

bright-whale-83501

09/21/2022, 9:31 AM
I think your problem is that you need to set SAN to a k8s master IP
l

late-vr-98727

09/21/2022, 9:32 AM
ok.. how to do it , any idea?
b

bright-whale-83501

09/21/2022, 9:32 AM
do you have rancher gui? (which version)
l

late-vr-98727

09/21/2022, 9:32 AM
yes.. 2.6.7
b

bright-whale-83501

09/21/2022, 9:33 AM
look in cluster management, enter the cluster, edit config. Look at "Networking"
There at the bottom you have ACE, and above TLS alterrnative names
I have rancher 2.6.8 so it might be different, have not used 2.6.7 since i skipped that release
that could be, yes
l

late-vr-98727

09/21/2022, 9:50 AM
hey @bright-whale-83501, do I need to edit the cluster config where rancher server is installed or downstream cluster?
b

bright-whale-83501

09/21/2022, 9:54 AM
Downstream cluster
Since ACE is about authentication, what authenticate. If you dont use ace you always use the rancher cluster
l

late-vr-98727

09/21/2022, 11:55 AM
yeah gotcha. But I am not getting the "Networking" options in cluster config yaml
b

bright-whale-83501

09/21/2022, 12:38 PM
Your rancher cluster, are you admin?
If you look in the yaml, you should see machineGlobalConfig. cluster-domain and tls-san in there?
l

late-vr-98727

09/21/2022, 12:55 PM
I am not admin. Does it require to be admin?
a

able-engineer-22050

10/05/2022, 4:46 PM
Hi, I have a related question to this. I have a couple of downstream rke2 clusters not created with authorized cluster endpoint enabled. Can I somehow enable this after creation?
7 Views