Rancher 2.6.5导入托管版ACK 显示Unable to connect to the server: x509

Rancher Server 设置

  • Rancher 版本:2.6.5
  • 安装选项 (Docker install/Helm Chart): docker
  • 在线或离线部署:在线部署

下游集群信息

  • Kubernetes 版本: 1.22.3-aliyun.1
  • Cluster Type (Local/Downstream):
    • 托管版ACK,导入Rancher Server

用户信息

  • 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):管理员
    • 如果自定义,自定义权限集:

问题描述:

重现步骤:

导入集群时选择curl --insecure方式

结果:
集群中:cattle-cluster-agent组件报错
显式:x509: certificate signed by unknown authority

预期结果:
集群能正常被Rancher管理
截图:

其他上下文信息:
集群的工作节点没有外网地址,有权限访问外网
集群API Server无外网地址
Rancher Server 有公网地址(EIP)
Rancher Server 的证书使用的默认证书
有一个额外的ECS安装了kubectl,可以执行kubectl get pod (ECS与集群在同一VPC)

日志

INFO: Environment: CATTLE_ADDRESS=10.12.0.167 CATTLE_CA_CHECKSUM= CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://192.168.170.219:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://192.168.170.219:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=192.168.170.219 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://192.168.170.219:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=192.168.170.219 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=192.168.170.219 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=41b06e35-c8c1-48b5-8299-13759bc99465 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-c7df5c795-n62k2 CATTLE_SERVER=https://xxxxxxxxxxxx CATTLE_SERVER_VERSION=v2.6.5
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local nameserver 192.168.0.10 options ndots:5
INFO: https://xxxxxxxxxx/ping is accessible
time="2022-06-27T10:54:26Z" level=info msg="Listening on /tmp/log.sock"
time="2022-06-27T10:54:26Z" level=info msg="Rancher agent version v2.6.5 is starting"
time="2022-06-27T10:54:27Z" level=info msg="Certificate details from https://47.xxxxxxx"
time="2022-06-27T10:54:27Z" level=info msg="Certificate #0 (https://xxxxxxxxx)"
time="2022-06-27T10:54:27Z" level=info msg="Subject: CN=dynamic,O=dynamic"
time="2022-06-27T10:54:27Z" level=info msg="Issuer: CN=dynamiclistener-ca,O=dynamiclistener-org"
time="2022-06-27T10:54:27Z" level=info msg="IsCA: false"
time="2022-06-27T10:54:27Z" level=info msg="DNS Names: [localhost rancher.cattle-system]"
time="2022-06-27T10:54:27Z" level=info msg="IPAddresses: [127.0.0.1 172.17.0.2 xxxxxxxx]"
time="2022-06-27T10:54:27Z" level=info msg="NotBefore: 2022-06-27 09:02:19 +0000 UTC"
time="2022-06-27T10:54:27Z" level=info msg="NotAfter: 2023-06-27 09:02:38 +0000 UTC"
time="2022-06-27T10:54:27Z" level=info msg="SignatureAlgorithm: ECDSA-SHA256"
time="2022-06-27T10:54:27Z" level=info msg="PublicKeyAlgorithm: ECDSA"
time="2022-06-27T10:54:27Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"https://xxxxxxx\": x509: certificate signed by unknown authority"