Recently moved some master nodes into different AWS AZs and am now having cert issues:

Oct 14 15:09:01 k8worker05 rke2: time="2022-10-14T15:09:01Z" level=info msg="Connecting to proxy" url="<wss://10.149.5.62:9345/v1-rke2/connect>"
Oct 14 15:09:01 k8worker05 rke2: time="2022-10-14T15:09:01Z" level=error msg="Failed to connect to proxy" error="x509: certificate is valid for 10.149.4.146, 10.149.4.32, 10.149.4.77, 10.43.0.1, 127.0.0.1, not 10.149.5.62"
Oct 14 15:09:01 k8worker05 rke2: time="2022-10-14T15:09:01Z" level=error msg="Remotedialer proxy error" error="x509: certificate is valid for 10.149.4.146, 10.149.4.32, 10.149.4.77, 10.43.0.1, 127.0.0.1, not 10.149.5.62"

Obviously

10.149.5.62

is the new IP and doesn't match what the cert is advertising. I'm stumped however about how the cert is being generated. The

/etc/rancher/rke2/config.yaml

file doesn't have any IP references... There are IPs in

/var/lib/rancher/rke2/server/tls/dynamic-cert.json

though these appear to be the result of some process. Any idea how to regenerate these certs?

Did you move them, or add new nodes? Server IPs are expected to be static for the life of that server in the cluster. You will probably need to delete the node from the cluster, clean up the files on disk, and rejoin it with its new IP address.

Thanks a lot - that did the trick!