自签名rancher2.8.3导入集群报错tls: failed to verify certificate: x509: certificate signed by unknown authority"

Rancher 2.x
1

Rancher Server 设置

  • Rancher 版本:2.8.3
  • helm版本: 3.14.3

  • k8s版本: 1.28.2

  • 在线或离线部署:在线

主机操作系统:centos7

问题描述:自签名rancher导入集群报错tls: failed to verify certificate: x509: certificate signed by unknown authority"

重现步骤:

bash ./key.sh --ssl-domain=rancher.jiangpeng.com --ssl-size=2048 --ssl-date=3650

vim /etc/hosts
rancher.jiangpeng.com 192.168.6.6

kubectl create  ns cattle-system

kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key

kubectl -n cattle-system create secret generic tls-ca  --from-file=cacerts.pem=/etc/kubernetes/pki/cacerts.pem

helm install rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.jiangpeng.com --set bootstrapPassword=admin --set ingress.tls.source=secret --set privateCA=true

结果:
集群安装成功,导入集群失败

b22d4422df4bcf317f9b7a3db6f5bd7
b22d4422df4bcf317f9b7a3db6f5bd71172×635 25.7 KB

预期结果: 集群安装成功,集群导入成功

其他上下文信息:

日志 
[root@master ~]# kubectl logs -n cattle-system cattle-cluster-agent-5b87bc4b56-dwp2q 
INFO: Environment: CATTLE_ADDRESS=10.244.219.77 CATTLE_CA_CHECKSUM=68a74389db293a6cfd6239ca9b73c055e21802f877d2a0580fcc869c130c0414 CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://10.102.176.218:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://10.102.176.218:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.102.176.218 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://10.102.176.218:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.102.176.218 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.102.176.218 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=7d6c40af-20fa-4385-a550-a70464342a91 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-5b87bc4b56-dwp2q CATTLE_RANCHER_WEBHOOK_VERSION= CATTLE_SERVER=https://rancher.jiangpeng.com:64058 CATTLE_SERVER_VERSION=v2.8.3
INFO: Using resolv.conf: nameserver 10.96.0.10 search cattle-system.svc.cluster.local svc.cluster.local cluster.local localdomain options ndots:5
INFO: https://rancher.jiangpeng.com:64058/ping is accessible
INFO: rancher.jiangpeng.com resolves to 192.168.6.6
INFO: Value from https://rancher.jiangpeng.com:64058/v3/settings/cacerts is an x509 certificate
time="2024-04-22T04:11:01Z" level=info msg="Listening on /tmp/log.sock"
time="2024-04-22T04:11:01Z" level=info msg="Rancher agent version v2.8.3 is starting"
time="2024-04-22T04:11:01Z" level=info msg="Certificate details from https://rancher.jiangpeng.com:64058"
time="2024-04-22T04:11:01Z" level=info msg="Certificate #0 (https://rancher.jiangpeng.com:64058)"
time="2024-04-22T04:11:01Z" level=info msg="Subject: CN=dynamic,O=dynamic"
time="2024-04-22T04:11:01Z" level=info msg="Issuer: CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org"
time="2024-04-22T04:11:01Z" level=info msg="IsCA: false"
time="2024-04-22T04:11:01Z" level=info msg="DNS Names: [rancher.jiangpeng.com]"
time="2024-04-22T04:11:01Z" level=info msg="IPAddresses: [10.244.166.165 10.244.166.180 10.244.166.187 10.98.103.19]"
time="2024-04-22T04:11:01Z" level=info msg="NotBefore: 2024-04-21 15:42:31 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="NotAfter: 2025-04-22 02:48:16 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="SignatureAlgorithm: ECDSA-SHA256"
time="2024-04-22T04:11:01Z" level=info msg="PublicKeyAlgorithm: ECDSA"
time="2024-04-22T04:11:01Z" level=info msg="Certificate #1 (https://rancher.jiangpeng.com:64058)"
time="2024-04-22T04:11:01Z" level=info msg="Subject: CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org"
time="2024-04-22T04:11:01Z" level=info msg="Issuer: CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org"
time="2024-04-22T04:11:01Z" level=info msg="IsCA: true"
time="2024-04-22T04:11:01Z" level=info msg="DNS Names: <none>"
time="2024-04-22T04:11:01Z" level=info msg="IPAddresses: <none>"
time="2024-04-22T04:11:01Z" level=info msg="NotBefore: 2024-04-21 15:42:31 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="NotAfter: 2034-04-19 15:42:31 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="SignatureAlgorithm: ECDSA-SHA256"
time="2024-04-22T04:11:01Z" level=info msg="PublicKeyAlgorithm: ECDSA"
time="2024-04-22T04:11:01Z" level=info msg="Certificate details for /etc/kubernetes/ssl/certs/serverca"
time="2024-04-22T04:11:01Z" level=info msg="Certificate #0 (/etc/kubernetes/ssl/certs/serverca)"
time="2024-04-22T04:11:01Z" level=info msg="Subject: CN=kubernetes"
time="2024-04-22T04:11:01Z" level=info msg="Issuer: CN=kubernetes"
time="2024-04-22T04:11:01Z" level=info msg="IsCA: true"
time="2024-04-22T04:11:01Z" level=info msg="DNS Names: [kubernetes]"
time="2024-04-22T04:11:01Z" level=info msg="IPAddresses: <none>"
time="2024-04-22T04:11:01Z" level=info msg="NotBefore: 2023-09-18 15:32:49 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="NotAfter: 2033-09-15 15:37:49 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2024-04-22T04:11:01Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2024-04-22T04:11:01Z" level=error msg="Issuer of last certificate found in chain (CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org) does not match with CA certificate Issuer (CN=kubernetes). Please check if the configured server certificate contains all needed intermediate certificates and make sure they are in the correct order (server certificate first, intermediates after)"
time="2024-04-22T04:11:01Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"https://rancher.jiangpeng.com:64058\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
2

因为你是用的 nodepod 注册的集群,这样就跳过了证书的验证,因为证书存在了 ingress 中。

1 个赞
3

不使用ingress,使用svc nodeport不可以吗?

4

不可以

1 个赞
5

自签名证书也必须用ingress嘛

6

对,要不跳过了证书验证是过不去的