https://rancher.com/ logo
Title
e

enough-toddler-31145

09/26/2022, 1:16 PM
Hey everyone! So I have a unique scenario and use case for rke2. I am using it for government compliance and to give people the warm and fuzzies on moving over to k8s. I started to deploy my VMs using terraform with RHEL8_STIG base image. From their I having ansible deploy rke2 and bootstrap rke2. The issue I have been running into so far is certificates. So far the first server will be bootstrapped and running however the other server nodes cannot connect due to
remote error: tls: bad certificate "remote error: tls: bad certificate"
and I messed with my config a little bit and restarted the bootstrapped server to now get the following error:
E0926 13:03:06.509286 1306356 leaderelection.go:325] error retrieving resource lock kube-system/rke2: Get <https://127.0.0.1:6443/api/v1/namespaces/kube-system/configmaps/rke2>: dial tcp 127.0.0.1:6443: connect: connection refused
running a curl against this gives the following output:
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: <https://curl.haxx.se/docs/sslcerts.html>

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Then running a curl and ignore certificates provides this output:
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}
Has anyone ran into any trouble with rke2-server certificates and specifically on hardened RHEL8 boxes?? Thanks!
g

gray-lawyer-73831

09/26/2022, 7:30 PM
Which version of rke2 are you using? We test pretty much every release using hardened rhel8 boxes and don’t see that error 🤔 I wonder if this could be similar to either of the following issues? • https://github.com/rancher/rke2/issues/2753https://github.com/rancher/rke2/issues/2861
e

enough-toddler-31145

09/27/2022, 6:44 PM
@gray-lawyer-73831 After some digging around my team thought we had the latest release because we copied straight from the docs here. However the repo says 1.18.
cat << EOF > /etc/yum.repos.d/rancher-rke2-1-18-latest.repo
[rancher-rke2-common-latest]
name=Rancher RKE2 Common Latest
baseurl=<https://rpm.rancher.io/rke2/latest/common/centos/8/noarch>
enabled=1
gpgcheck=1
gpgkey=<https://rpm.rancher.io/public.key>

[rancher-rke2-1-18-latest]
name=Rancher RKE2 1.18 Latest
baseurl=<https://rpm.rancher.io/rke2/latest/1.18/centos/8/x86_64>
enabled=1
gpgcheck=1
gpgkey=<https://rpm.rancher.io/public.key>
EOF
g

gray-lawyer-73831

09/27/2022, 6:48 PM
Ah thank you for the update! I just created https://github.com/rancher/rke2/issues/3386 to address that
1