https://rancher.com/ logo
Title
a

adventurous-vr-13726

02/22/2023, 7:43 AM
Hi guys, we are trying to install rke2 and seem to be runing into an issue when trying to connect nodes to servers.
CA cert validation failed: Get "<https://127.0.0.1:6444/cacerts>": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
It's a bit obscure and not found much online about it. There is no FW, and LB is setup to offload TLS. Any ideas?
c

creamy-pencil-82913

02/22/2023, 9:48 AM
Don't do that. If you have a LB in front of the rke2 control plane, it must use the same ports, and pass through tcp directly. Kubernetes makes extensive use of client certificate auth, and offloading tls to the load-balancer breaks that.
a

adventurous-vr-13726

02/22/2023, 9:49 AM
okay so I should set passthru
c

creamy-pencil-82913

02/22/2023, 9:49 AM
You don't even really need an expensive external load-balancer in front of the servers, a DNS alias is just fine. The registration endpoint is only used when joining the cluster, after that the client pulls endpoints from the cluster so the external LB is completely unused.
a

adventurous-vr-13726

02/22/2023, 9:49 AM
its possible its already setup like this. we have stoodup 3 other rancher clusters and the install went fine