Rancher2.11.3创建集群报错[ERROR] 000 received while downloading the CA certificate. Sleeping for 5 seconds and trying again

Mountain-bot · 2026 年3 月 16 日 05:41

创建测试集群，

注册主节点报curl: (35) Network file descriptor is not connected
[ERROR] 000 received while downloading the CA certificate. Sleeping for 5 seconds and trying again

ksd · 2026 年3 月 16 日 06:22

像是证书的问题，请提供完整的 rancher 安装命令

Mountain-bot · 2026 年3 月 16 日 06:26

ksd · 2026 年3 月 16 日 06:30

那你上面报错的终端图片里的 rancher url 是什么？域名或者是 IP ？来源是？

Mountain-bot · 2026 年3 月 16 日 06:33

curl -fL https://10.10.9.252/system-agent-install.sh | sudo sh -s - --server https://10.10.9.252 --label ‘cattle.io/os=linux’ --token bhmlhjg47lb8xqntf7m5qw4bqtg2kbpxlpzk2lhq9p9gmgggzj6fz7 --ca-checksum 00b179be3b5e8107fa16c533240cf9f123974aa1f165f690649a0e530038a1a6 --etcd --controlplane --worker 是IP 这是注册的命令

ksd · 2026 年3 月 16 日 06:36

从执行注册节点的这个主机执行：curl -v https://10.10.9.252/v3/connect/agent

看看返回的啥

Mountain-bot · 2026 年3 月 16 日 06:37

About to connect() to 10.10.9.252 port 443 (#0)
Trying 10.10.9.252…
Connected to 10.10.9.252 (10.10.9.252) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Server certificate:
subject: CN=dynamic,O=dynamic
start date: Mar 16 03:36:19 2026 GMT
expire date: Mar 16 03:36:50 2027 GMT
common name: dynamic
issuer: CN=dynamiclistener-ca@1773632179,O=dynamiclistener-org
NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
Peer’s certificate issuer has been marked as not trusted by the user.
Closing connection 0
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

ksd · 2026 年3 月 16 日 06:44

目前是没看出来啥问题，那你访问 local 集群里面的 pod 菜单，看看是否所有 pod 都启动成功

Mountain-bot · 2026 年3 月 16 日 06:46

都已启动成功。这个问题一开始是没有的。后来我重装了下就有这个问题了一直重试认证的问题

ksd · 2026 年3 月 16 日 06:56

如果是这样，有可能是垃圾数据造成的：

rancher 运行的主机删除：/opt/data/rancher_data 然后从新运行
在节点的主机上移除对应的垃圾数据，参考：Removing Kubernetes Components from Nodes | Rancher /var/lib/rancher 和 /etc/rancher 目录为空