Good morning I have set up Rancher 2 11 1 and I m having iss Rancher Users #rancher-setup

Good morning, I have set up Rancher 2.11.1, and I’...

refined-oxygen-1890

07/16/2025, 2:03 PM

Good morning, I have set up Rancher 2.11.1, and I’m having issues creating downstream clusters. Getting the following error:

Copy code

[INFO]  CA strict verification is set to true
[INFO]  Using default agent configuration directory /etc/rancher/agent
[INFO]  Using default agent var directory /var/lib/rancher/agent
[FATAL]  Aborting system-agent installation due to requested strict CA verification with no CA checksum provided

Is there a work around, or fix for this?

mysterious-animal-29850

07/18/2025, 9:32 PM

That depends on how you are installing Rancher. Are you providing your own certificate? What does your values.yaml for Rancher look like? Did you make the secrets for

tls-rancher-ingress

and

tls-ca

if using your own cert? Please sanitize any data you share here.

refined-oxygen-1890

07/19/2025, 11:23 AM

I installed with helm command and passed the values in that manner:

Copy code

helm install rancher rancher-latest/rancher   --namespace cattle-system   --set hostname=rancher.xxxxx.lan   --set replicas=3   --set bootstrapPassword=adminPasswordxxx   --set ingress.tls.source=secret

refined-oxygen-1890

07/19/2025, 11:23 AM

Copy code

USER-SUPPLIED VALUES:
bootstrapPassword: adminPasswordxxx
hostname: rancher.xxxxx.lan
ingress:
  tls:
    source: secret
replicas: 3

refined-oxygen-1890

07/19/2025, 11:27 AM

Copy code

kubectl get secrets -n cattle-system
NAME                                               TYPE                                  DATA   AGE
bootstrap-secret                                   Opaque                                1      65d
cattle-webhook-ca                                  <http://kubernetes.io/tls|kubernetes.io/tls>                     2      65d
cattle-webhook-tls                                 <http://kubernetes.io/tls|kubernetes.io/tls>                     2      65d
imperative-api-sni-provider-cert-ca                Opaque                                2      57d
rancher-ca                                         <http://kubernetes.io/tls|kubernetes.io/tls>                     2      60d
rancher-token-6hz2x                                <http://kubernetes.io/service-account-token|kubernetes.io/service-account-token>   3      65d
serving-cert                                       <http://kubernetes.io/tls|kubernetes.io/tls>                     2      65d
sh.helm.release.v1.rancher-webhook.v13             <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.rancher-webhook.v14             <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.rancher-webhook.v15             <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.rancher-webhook.v16             <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.rancher-webhook.v17             <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.rancher.v1                      <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.system-upgrade-controller.v13   <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.system-upgrade-controller.v14   <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.system-upgrade-controller.v15   <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.system-upgrade-controller.v16   <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
sh.helm.release.v1.system-upgrade-controller.v17   <http://helm.sh/release.v1|helm.sh/release.v1>                    1      65d
tls-rancher                                        <http://kubernetes.io/tls|kubernetes.io/tls>                     2      58d
tls-rancher-ingress                                <http://kubernetes.io/tls|kubernetes.io/tls>                     3      60d
tls-rancher-internal                               <http://kubernetes.io/tls|kubernetes.io/tls>                     2      65d
tls-rancher-internal-ca                            <http://kubernetes.io/tls|kubernetes.io/tls>                     2      65d

mysterious-animal-29850

07/21/2025, 1:24 AM

Are you using a private CA cert? Did you upgrade from an older Rancher release? If you are ok with using Rancher's system store for agent tls, you can set the agent-tls-mode to system store in your values.yaml. https://github.com/rancher/rancher/blob/main/chart/values.yaml#L52

refined-oxygen-1890

07/21/2025, 1:21 PM

@mysterious-animal-29850 It is a brand new install in a lab environment. I have a separate HA proxy VM, but that’s for my local cluster.

refined-oxygen-1890

07/21/2025, 1:28 PM

@mysterious-animal-29850 I will look at upgrading the install and setting the value to system store, and test again. Thanks

👍 1

mysterious-animal-29850

07/21/2025, 1:30 PM

Ok, appreciate the update. There was a change to rancher setting in 2.9.x with the agent store.

mysterious-animal-29850

07/21/2025, 1:30 PM

Let us know if that worked for you

refined-oxygen-1890

07/21/2025, 1:31 PM

Will do! I wasn’t aware last version I installed was 2.7 I think, and decided to update but it wouldn’t allow me so I started fresh

👍 1

39 Views

Open in Slack

Previous Next