Hi, I have a question regarding Rancher's behavior when switching the TLS certificate used in an existing setup. I'm using Rancher versions 2.9.3 and 2.10.0, and initially I had a certificate generated by cert-manager, set using

tls.secret: rancher

in the Helm values. Later on, I switched to a self-signed certificate (or a certificate signed by a private CA). At that point, there was already an existing downstream cluster registered and functioning. After changing the certificate, the

rancher-system-agent

on the cluster nodes started throwing the following error:

rancher-system-agent[3597227]: time="2025-02-20T16:20:12Z" level=info msg="Initial connection to Kubernetes cluster failed with error Get \"
<https://mi.dominio.com/version>\": tls: failed to verify certificate: x509: certificate signed by unknown authority, removing CA data and trying again"
rancher-system-agent[3597227]: time="2025-02-20T16:20:12Z" level=fatal msg="error while connecting to Kubernetes cluster with nullified CA data: Get \"<https://mi.dominio.com/version>\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

As a workaround, I manually installed the private CA certificate on each host node, and after that, the error went away. My question is: Is this the expected behavior when switching to a self-signed or private CA certificate with an existing downstream cluster, or could this be considered a bug? Note: From the agent pods, I can reach the Rancher URLs without needing to specify the CA certificate explicitly. Thanks in advance for your help.

yes… as covered in the docs you need to reconfigure agents after changing the cert https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/update-rancher-certificate#4-reconfigure[…]the-private-ca

thanks