This message was deleted.

In the hosts file of the new node trying to register?

Yes. Because the cert held was for harvester.etc.etc not for the private IP. So it had to register to harvester.etc.etc (in the rancherd config file is where you change the registration URL)

I have a Harvester v1.4.0 cluster that I'm building which is in exactly this state. The first node has been up for a few weeks, and I gave it a cert for its UI. I built the second node yesterday, but it hasn't managed to join the cluster. It seems like this might be a reason.

Ahaha what a coincidence. I noticed that and thought it was a bit funny and figured "why not share to the slack" someone might use it. If you need any help with error messages or the configs, ping me, I'll be more than happy to help :)

So, when you went through the install process, did you enter the IP address or the fully qualified domain name of the management address? The install UI says you can enter either. I entered the FQDN.

~So, I have 10.0.1.60 as the VIP for Harvester. .61 is H1 (my first node)~

Okay - that's probably not my issue then. Thanks for sharing though 🙂

So, I have 10.0.1.60 as the VIP for Harvester. .61 is H1 (my first node) .62 is H2 (the one I'm adding) h.m.c (harvester.my.company) points to 10.0.1.60 The cert is for h.m.c When I added .62, I erroneously used .60 as registration URL thing So what I had to do was edit /etc/rancher/rancherd/config.yaml and change the server IP to h.m.c I guess using h.m.c in the installation may have worked too, I will test that tomorrow

my config.yaml has:

server: <https://harvester.my.domain.name:443>

It's doing this, which is probably a different issue.

Ah, something about my setup. In the Harvester UI, it asks for key, cert, and some third thing (CA?). I added only key and cert

Yeh, that's normal. You don't need to add a CA unless you've created your own. If you're using LetsEncrypt or similar then no CA needs to be added.

Right right, but you did add a CA

No

Huh, now that's weird...

I did this:

Okay. I just checked the installation script. It seems that CA verification is enforced (usually the default is false, weird) The following env variable should do the trick:

#   - CATTLE_AGENT_STRICT_VERIFY | STRICT_VERIFY (default: false)

Interesting... Thank you!

Ah that's awesome! Bizarre that it defaulted to true in your case. But glad it worked regardless!

I have created https://github.com/harvester/harvester/issues/7489 with the issue and your work around. Thank you.

As an aside, might be helpful in the future. I googled the error message "Aborting system-agent installation due to requested strict CA verification with no CA checksum provided" which led me to the install.sh script here: https://github.com/rancher/system-agent/blob/main/install.sh The error message would be created on line 900, and this is in the conditions to reach it:

${CATTLE_AGENT_STRICT_VERIFY}