https://rancher.com/ logo
Title
l

lively-night-78214

12/08/2022, 9:56 AM
Is there a value in the configuration that i can provide to ensure there is no certificate mismatch?
Client Version: <http://version.Info|version.Info>{Major:"1", Minor:"18", GitVersion:"v1.18.2", GitCommit:"52c56ce7a8272c798dbc29846288d7cd9fbae032", GitTreeState:"clean", BuildDate:"2020-04-16T11:56:40Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, myapp-k3s-server, not <http://k3s.domain.space|k3s.domain.space>
c

creamy-pencil-82913

12/08/2022, 10:02 AM
Did you set --tls-san=k3s.domain.space to add that as a valid hostname for the certificate, when first starting the cluster?
l

lively-night-78214

12/08/2022, 10:03 AM
no i had no clue i needed that
i thought the K3S_HOST
c

creamy-pencil-82913

12/08/2022, 10:03 AM
How would the cluster know that you would want to address it by that hostname?
l

lively-night-78214

12/08/2022, 10:03 AM
would take care of such aspects but i think that is just used by the agent
c

creamy-pencil-82913

12/08/2022, 10:04 AM
where did you see a K3S_HOST variable?
l

lively-night-78214

12/08/2022, 10:04 AM
not sure, the quick start does not mention it https://docs.k3s.io/quick-start
it is actually K3S_URL
c

creamy-pencil-82913

12/08/2022, 10:05 AM
Do you mean K3S_URL?
l

lively-night-78214

12/08/2022, 10:05 AM
yep
c

creamy-pencil-82913

12/08/2022, 10:05 AM
Yes, that is the URL of the server to join
it is an alias for --server
l

lively-night-78214

12/08/2022, 10:05 AM
ok i know the quick start is meant to be quick 🙂
but maybe a bit too quick 🙂
To avoid certificate errors in such a configuration, you should install the server with the
--tls-san YOUR_IP_OR_HOSTNAME_HERE
option. This option adds an additional hostname or IP as a Subject Alternative Name in the TLS cert, and it can be specified multiple times if you would like to access via both the IP and the hostname.
l

lively-night-78214

12/08/2022, 10:06 AM
do you think it should be left out the quick start ?
c

creamy-pencil-82913

12/08/2022, 10:06 AM
yes, that is absolutely not something most people need to do
Is that an alias for or a loadbalancer in front of the server?
l

lively-night-78214

12/08/2022, 10:07 AM
but then even for non high availability set ups i still cannot connect to the server from my PC
no it is just a URL i provision with cloudflare
c

creamy-pencil-82913

12/08/2022, 10:07 AM
myapp-k3s-server
would be the name of the server?
l

lively-night-78214

12/08/2022, 10:07 AM
it has an actual domain
c

creamy-pencil-82913

12/08/2022, 10:07 AM
You’re putting cloudflare in front of your apiserver?
l

lively-night-78214

12/08/2022, 10:08 AM
but basically the url points to the IP where i run the k3s server install on
c

creamy-pencil-82913

12/08/2022, 10:08 AM
That’s not something you usually expose to the internet
Also, if you are going to put something in front of the apiserver, it cannot terminate SSL, as Kubernetes uses client certificate authentication
l

lively-night-78214

12/08/2022, 10:08 AM
i am not putting a proxy solution in front of it
i just use DNS from cloudflare
c

creamy-pencil-82913

12/08/2022, 10:08 AM
ok
l

lively-night-78214

12/08/2022, 10:09 AM
mainly because it is all terraformable
c

creamy-pencil-82913

12/08/2022, 10:09 AM
Yes so if you are going to use a DNS alias or load-balancer instead of the hostname, you need to add those to the --tls-san
you’re way beyond the quickstart if you’re doing teraform and setting up DNS aliases
you might want to explore a bit more of the docs
l

lively-night-78214

12/08/2022, 10:10 AM
cool thank you. i still think this should not be part of a high availability doc ... but again maybe it is just my use case
yep i do
i need to understand it a bit more but wanted to avoid HA
at least for now
c

creamy-pencil-82913

12/08/2022, 10:10 AM
l

lively-night-78214

12/08/2022, 10:10 AM
but looks like you cannot escape it
ok just a quick question if you dont mind that i asked earlier
should i tag you on it?
it is about the architecture
in another thread