rancher导入eks集群失败,提示:Issuer of last certificate found in chain; x509: certificate is not authorized to sign other certificates

Rancher 2.x
, , ,
1

rancher导入eks集群失败,提示:Issuer of last certificate found in chain; x509: certificate is not authorized to sign other certificates

  • Rancher Server
    • Rancher 版本:v2.6.13
    • 安装方式: docker安装
    • Nginx反向代理https(自签证书)转发到rancher的443
  • EKS集群
    • eks版本: 17
    • Kubernetes版本: 1.23
    • 网络方式: intranet(禁止公网出入)

rancher server

version: '3.0'
services:
  rancher:
    privileged: true
    image: rancher/rancher:v2.6.13
    container_name: rancher
    ports:
      - 80:80
      - 443:443
    restart: unless-stopped

eks node

JUhX75ZvX@ip-10-33-66-161:~$ kubectl get pods --all-namespaces
NAMESPACE       NAME                                    READY   STATUS             RESTARTS        AGE
cattle-system   cattle-cluster-agent-776cbb8c59-psssh   0/1     CrashLoopBackOff   7 (4m44s ago)   15m
kube-system     aws-node-db5zs                          1/1     Running            0               3h39m
kube-system     aws-node-nq9nn                          1/1     Running            0               3h39m
kube-system     coredns-5b88d66b9c-gsqsp                1/1     Running            0               3h47m
kube-system     coredns-5b88d66b9c-hfp7x                1/1     Running            0               3h47m
kube-system     kube-proxy-lnv4k                        1/1     Running            0               3h39m
kube-system     kube-proxy-n2x8r                        1/1     Running            0               3h39m
JUhX75ZvX@ip-10-33-66-161:~$ 
JUhX75ZvX@ip-10-33-66-161:~$ kubectl logs cattle-cluster-agent-776cbb8c59-psssh --namespace cattle-system
INFO: Environment: CATTLE_ADDRESS=10.11.172.75 CATTLE_CA_CHECKSUM=260cb54f60184fa450d029d3d4e9272d67a13f522f9e472e9f08588cab72741e CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://172.11.140.33:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://172.11.140.33:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=172.11.140.33 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://172.11.140.33:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=172.11.140.33 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=172.11.140.33 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_FEATURES=embedded-cluster-api=false,fleet=false,monitoringv1=false,multi-cluster-management=false,multi-cluster-management-agent=true,provisioningv2=false,rke2=false CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=2143b49d-74a9-4197-9571-06325880154e CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-776cbb8c59-psssh CATTLE_SERVER=https://rancherdev.XXX.XXX CATTLE_SERVER_VERSION=v2.6.12
INFO: Using resolv.conf: nameserver 172.11.0.10 search cattle-system.svc.cluster.local svc.cluster.local cluster.local ap-south-1.compute.internal options ndots:5
INFO: https://rancherdev.XXX.XXX/ping is accessible
INFO: rancherdev.XXX.XXX resolves to 10.11.82.4
INFO: Value from https://rancherdev.XXX.XXX/v3/settings/cacerts is an x509 certificate
time="2023-12-27T18:40:25Z" level=info msg="Listening on /tmp/log.sock"
time="2023-12-27T18:40:25Z" level=info msg="Rancher agent version v2.6.12 is starting"
time="2023-12-27T18:40:26Z" level=info msg="Certificate details from https://rancherdev.XXX.XXX"
time="2023-12-27T18:40:26Z" level=info msg="Certificate #0 (https://rancherdev.XXX.XXX)"
time="2023-12-27T18:40:26Z" level=info msg="Subject: CN=XXX.XXX,C=AA"
time="2023-12-27T18:40:26Z" level=info msg="Issuer: CN=cattle-ca,C=AA"
time="2023-12-27T18:40:26Z" level=info msg="IsCA: false"
time="2023-12-27T18:40:26Z" level=info msg="DNS Names: [*.XXX.XXX XXX.XXX]"
time="2023-12-27T18:40:26Z" level=info msg="IPAddresses: <none>"
time="2023-12-27T18:40:26Z" level=info msg="NotBefore: 2023-04-10 03:14:41 +0000 UTC"
time="2023-12-27T18:40:26Z" level=info msg="NotAfter: 2033-04-07 03:14:41 +0000 UTC"
time="2023-12-27T18:40:26Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2023-12-27T18:40:26Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2023-12-27T18:40:26Z" level=info msg="Certificate #1 (https://rancherdev.XXX.XXX)"
time="2023-12-27T18:40:26Z" level=info msg="Subject: CN=cattle-ca,C=AA"
time="2023-12-27T18:40:26Z" level=info msg="Issuer: CN=cattle-ca,C=AA"
time="2023-12-27T18:40:26Z" level=info msg="IsCA: false"
time="2023-12-27T18:40:26Z" level=info msg="DNS Names: <none>"
time="2023-12-27T18:40:26Z" level=info msg="IPAddresses: <none>"
time="2023-12-27T18:40:26Z" level=info msg="NotBefore: 2023-04-10 03:14:40 +0000 UTC"
time="2023-12-27T18:40:26Z" level=info msg="NotAfter: 2033-04-07 03:14:40 +0000 UTC"
time="2023-12-27T18:40:26Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2023-12-27T18:40:26Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2023-12-27T18:40:26Z" level=info msg="Certificate details for /etc/kubernetes/ssl/certs/serverca"
time="2023-12-27T18:40:26Z" level=info msg="Certificate #0 (/etc/kubernetes/ssl/certs/serverca)"
time="2023-12-27T18:40:26Z" level=info msg="Subject: CN=dynamiclistener-ca@1703701587,O=dynamiclistener-org"
time="2023-12-27T18:40:26Z" level=info msg="Issuer: CN=dynamiclistener-ca@1703701587,O=dynamiclistener-org"
time="2023-12-27T18:40:26Z" level=info msg="IsCA: true"
time="2023-12-27T18:40:26Z" level=info msg="DNS Names: <none>"
time="2023-12-27T18:40:26Z" level=info msg="IPAddresses: <none>"
time="2023-12-27T18:40:26Z" level=info msg="NotBefore: 2023-12-27 18:26:27 +0000 UTC"
time="2023-12-27T18:40:26Z" level=info msg="NotAfter: 2033-12-24 18:26:27 +0000 UTC"
time="2023-12-27T18:40:26Z" level=info msg="SignatureAlgorithm: ECDSA-SHA256"
time="2023-12-27T18:40:26Z" level=info msg="PublicKeyAlgorithm: ECDSA"
time="2023-12-27T18:40:26Z" level=error msg="Issuer of last certificate found in chain (CN=cattle-ca,C=AA) does not match with CA certificate Issuer (CN=dynamiclistener-ca@1703701587,O=dynamiclistener-org). Please check if the configured server certificate contains all needed intermediate certificates and make sure they are in the correct order (server certificate first, intermediates after)"
time="2023-12-27T18:40:26Z" level=fatal msg="Get \"https://rancherdev.XXX.XXX\": x509: certificate is not authorized to sign other certificates"

Snipaste_2023-12-28_03-08-16

Snipaste_2023-12-28_03-08-33
Snipaste_2023-12-28_03-08-33772×960 72.4 KB

2

从日志来看,是因为 CA 证书导致的 ”x509: certificate is not authorized to sign other certificates"。

主要原因是你使用域名来导入的下游集群,但你的 rancher 在 docker run 的过程中没有添加域名的证书,所以导致的这个问题。

有两个解决方法:

  1. 直接使用 IP 进行导入
  2. 运行 rancher 的时候添加对应的证书,可参考:从0开始安装rancher通过自签名证书 - Ksd的博客 | KSD Blog
3

你好, 请教一下.
使用IP进行导入指的是什么? 在EKS中将rancher的地址改成IP吗?
运行 rancher 的时候添加对应的证书, 这里用的是nginx的证书吗? 还是需要重新为rancher生成一个.

4

就是将 https://rancherdev.XXX.XXX\ 换成 IP 地址,在 rancher 的 setting 中,将 server url 换成 IP,然后重新创建导入集群。

你可以参考后面发你的链接

6

感谢您的回答, 我大致明白您的意思了.
因为我的域名和证书是早就存在的不能动的, 所以有点困惑他这个也官方推荐一样, 也是三个证书, 前面两个应该是nginx证书, 我不理解这个第三个证书哪里的, 是用的rancher全局设置中的cacerts吗?

docker run -d --restart=unless-stopped
-p 80:80 -p 443:443
-v $PWD/rancher:/var/lib/rancher
-v $PWD/certs/cert.pem:/etc/rancher/ssl/cert.pem
-v $PWD/certs/key.pem:/etc/rancher/ssl/key.pem
-v $PWD/certs/ca.pem:/etc/rancher/ssl/cacerts.pem
–privileged
rancher/rancher:latest

您说的IP这个指的是改全局设置中的server-url吗?
另外我想请问一下, 能忽略证书吗? 我记得我以前配置好像没有配过证书相关的这些东西.

7

首先,我说的 IP,就是使用 IP 来访问 rancher,然后通过 IP 来导入下游集群,这样使用的是 rancher 自动帮你生成的证书,根据你上面提供的 docker-compose 配置,你也没加任何证书的配置,所以你可以直接使用主机的 IP 来访问 Rancher 就可以了。

如果你想使用域名,而且你使用的是 docker run 的方式来启动,那你就得在 docker run 的过程中加上证书,至于 上面提到的三个 pem 证书,都是需要你自己提供和创建的,这三个 pem 证书是创建自签名证书的时候生成的,如果你有正规办法机构颁发的证书,那么就不需要 cacerts.pem

8

好的, 我明白了. 感谢您耐心解答.