使用docker 部署单节点rancher,并用nginx 代理,k3s 的fleet-agent-0证书报错

K3s
1

failed to verify certificate: x509: certificate signed by unknown authority

rancher 版本 2.10.3

nginx rancher 启动命令 遵循

time=“2025-03-04T11:36:25Z” level=error msg=“Failed to register agent: registration failed: cannot create clusterregistration on management cluster for cluster id ‘bcpr2jxfxdqmm6rrps7scl6jmkkctfvqj8qcqvts6l282c8m52vwwb’: Post "https://xxxx.xxxx.com/apis/fleet.cattle.io/v1alpha1/namespaces/fleet-local/clusterregistrations\”: tls: failed to verify certificate: x509: certificate signed by unknown authority"

2

把详细的安装步骤列一下吧,我看看能不能重现

3
  1. 全新rocky linux 9.5 minimal
  2. 关闭firewalld
systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
  1. 安装iptables
dnf install iptables-services iptables-utils -y
systemctl enable --now iptables
  1. 启动iptables模块
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_filter
modprobe ipt_state
  1. iptables加入开机启动
vi /etc/modules-load.d/iptables.conf

ip_tables
ip_conntrack
iptable_filter
ipt_state
  1. 为了挂载主机映射
docker run --rm --entrypoint "" -v $(pwd):/output registry.cn-hangzhou.aliyuncs.com/rancher/rancher:v2.10.3 cp /var/lib/rancher/k3s/agent/images/k3s-airgap-images.tar /output/k3s-airgap-images.tar
  1. 复制到持久化路径
mkdir -p /home/rancher/rancher/k3s/agent/images/
cp k3s-airgap-images.tar /home/rancher/rancher/k3s/agent/images/
  1. 启动docker
docker run -d --restart=unless-stopped --name rancher --privileged  -p 4000:80 -p 4443:443 -e CATTLE_SYSTEM_DEFAULT_REGISTRY=registry.cn-hangzhou.aliyuncs.com -v /home/rancher/rancher:/var/lib/rancher  registry.cn-hangzhou.aliyuncs.com/rancher/rancher:v2.10.3 --no-cacerts

9.nginx代理

在 /etc/nginx/conf.d 下添加 rancher.conf
server {
        listen       80;
        listen       [::]:80;
        server_name  xxx.xxx.com;
        return 301 https://$server_name$request_uri;


    }
upstream rancher {
        server 127.0.0.1:4000;
}

map $http_upgrade $connection_upgrade {
                default Upgrade;
                ''      close;
}

server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  xxx.xxx.com;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/nginx/ssl/cert.pem";
        ssl_certificate_key "/etc/nginx/ssl/key.pem";
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_read_timeout 900s;
                proxy_buffering off;

                proxy_pass http://rancher;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

10 打开网页 xxx.xxx.com

2025.03.05_赵宏健&57bb642bda655060a4ca0068784b3c65
2025.03.05_赵宏健&57bb642bda655060a4ca0068784b3c651880×822 70.4 KB

2025.03.05_赵宏健&f83470a5122de944d34fd05c15cdf71a
2025.03.05_赵宏健&f83470a5122de944d34fd05c15cdf71a1843×658 40.9 KB

time="2025-03-05T02:25:52Z" level=warning msg="Cannot find fleet-agent secret, running registration"
time="2025-03-05T02:25:52Z" level=info msg="Creating clusterregistration with id '9sm54bf9jtr5bfhwwtqt6h7c7pbgjsjwzqv22djbwzh7ccxclml5mr' for new token"
time="2025-03-05T02:25:52Z" level=error msg="Failed to register agent: registration failed: cannot create clusterregistration on management cluster for cluster id '9sm54bf9jtr5bfhwwtqt6h7c7pbgjsjwzqv22djbwzh7ccxclml5mr': Post \"https://xxx.xxx.com/apis/fleet.cattle.io/v1alpha1/namespaces/fleet-local/clusterregistrations\": tls: failed to verify certificate: x509: failed to load system roots and no roots provided; readdirent /dev/null: not a directory"
time="2025-03-05T02:26:52Z" level=warning msg="Cannot find fleet-agent secret, running registration"
time="2025-03-05T02:26:52Z" level=info msg="Creating clusterregistration with id '9sm54bf9jtr5bfhwwtqt6h7c7pbgjsjwzqv22djbwzh7ccxclml5mr' for new token"
time="2025-03-05T02:26:56Z" level=error msg="Failed to register agent: registration failed: cannot create clusterregistration on management cluster for cluster id '9sm54bf9jtr5bfhwwtqt6h7c7pbgjsjwzqv22djbwzh7ccxclml5mr': Post \"https://xxx.xxx.com/apis/fleet.cattle.io/v1alpha1/namespaces/fleet-local/clusterregistrations\": tls: failed to verify certificate: x509: failed to load system roots and no roots provided; readdirent /dev/null: not a directory"

备注 这是 加了 --no-cacerts 参数的启动报错,如果不加 --no-cacerts,则会提示本提问中的错误,即certificate signed by unknown authority

4

再问下,你的证书是如何创建的?

5

https://github.com/acmesh-official/acme.sh

这个 用的 自动验证(DNS API)

https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_ali

阿里云相关的api
let’s encrypt的证书 而不是 默认的zerossl

6

之前在忙其他的事

这个问题在 docker方面 不知道怎么解决 索性不解决了 改用k3s+rancher直接安装

同样的域名 和证书在 安装了k3s 的机器上安装rancher 没任何问题

除去学习成本 就算是单节点的确也是k3s+rancher 比docker启动的实用的多

1 个赞