https://rancher.com/ logo
Title
r

rich-crowd-36987

10/14/2022, 3:40 PM
Recently moved some master nodes into different AWS AZs and am now having cert issues:
Oct 14 15:09:01 k8worker05 rke2: time="2022-10-14T15:09:01Z" level=info msg="Connecting to proxy" url="<wss://10.149.5.62:9345/v1-rke2/connect>"
Oct 14 15:09:01 k8worker05 rke2: time="2022-10-14T15:09:01Z" level=error msg="Failed to connect to proxy" error="x509: certificate is valid for 10.149.4.146, 10.149.4.32, 10.149.4.77, 10.43.0.1, 127.0.0.1, not 10.149.5.62"
Oct 14 15:09:01 k8worker05 rke2: time="2022-10-14T15:09:01Z" level=error msg="Remotedialer proxy error" error="x509: certificate is valid for 10.149.4.146, 10.149.4.32, 10.149.4.77, 10.43.0.1, 127.0.0.1, not 10.149.5.62"
Obviously
10.149.5.62
is the new IP and doesn't match what the cert is advertising. I'm stumped however about how the cert is being generated. The
/etc/rancher/rke2/config.yaml
file doesn't have any IP references... There are IPs in
/var/lib/rancher/rke2/server/tls/dynamic-cert.json
though these appear to be the result of some process. Any idea how to regenerate these certs?
Did the find the documentation re: certificate rotation - unsure if that'd solve the issue and am slightly nervous about just trying it 🙂
c

creamy-pencil-82913

10/14/2022, 5:24 PM
Did you move them, or add new nodes? Server IPs are expected to be static for the life of that server in the cluster. You will probably need to delete the node from the cluster, clean up the files on disk, and rejoin it with its new IP address.
r

rich-crowd-36987

10/14/2022, 6:07 PM
Thanks a lot - that did the trick!