Rancher Server 设置
- Rancher 版本:V2.9.3
- 安装选项 (Docker install/Helm Chart): helm
- 如果是 Helm Chart 安装,需要提供 Local 集群的类型(RKE1, RKE2, k3s, EKS, 等)和版本:
- 在线或离线部署:
下游集群信息
- Kubernetes 版本: 1.27.5
- Cluster Type (Local/Downstream):
- 如果 Downstream,是什么类型的集群?(自定义/导入或为托管 等):
用户信息
- 登录用户的角色是什么? (管理员/集群所有者/集群成员/项目所有者/项目成员/自定义):
- 如果自定义,自定义权限集:
主机操作系统:
问题描述:
INFO: Environment: CATTLE_ADDRESS=100.114.144.147 CATTLE_CA_CHECKSUM=0e812942c2f0179b9cd6c36335f4768c1b49215c0007416d0eb8e80d9057b791 CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://10.96.3.234:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://10.96.3.234:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.96.3.234 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://10.96.3.234:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.96.3.234 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.96.3.234 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY=registry.cn-hangzhou.aliyuncs.com CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=3661cf14-08c6-423d-b698-94ec7c43e973 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-56f4f95cbc-4hp8n CATTLE_RANCHER_PROVISIONING_CAPI_VERSION= CATTLE_RANCHER_WEBHOOK_VERSION=104.0.3+up0.5.3 CATTLE_SERVER=https://172.16.1.214:31252 CATTLE_SERVER_VERSION=v2.9.3
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local nameserver 10.96.0.10 options ndots:5
INFO: https://172.16.1.214:31252/ping is accessible
INFO: Value from https://172.16.1.214:31252/v3/settings/cacerts is an x509 certificate
time=“2026-07-01T09:19:28Z” level=info msg=“Listening on /tmp/log.sock”
time=“2026-07-01T09:19:28Z” level=info msg=“Rancher agent version v2.9.3 is starting”
time=“2026-07-01T09:19:28Z” level=info msg=“Testing connection to https://172.16.1.214:31252 using trusted certificate authorities within: /etc/kubernetes/ssl/certs/serverca”
time=“2026-07-01T09:19:28Z” level=error msg=“Could not securely connect to https://172.16.1.214:31252: Get "https://172.16.1.214:31252": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "dynamiclistener-ca@1782284395")”
重现步骤:
通过rancher命令添加
curl --insecure -sfL https://172.16.1.214:31252/v3/import/lnwcqjpcv78nsjnpmfbh9xzxdpw7tbqkjgkbwklmbzgrxn2srt2bdz_c-m-s4l7pmst.yaml | kubectl apply -f -