Rancher Server 设置
主机操作系统:centos7
问题描述:自签名rancher导入集群报错tls: failed to verify certificate: x509: certificate signed by unknown authority"
重现步骤:
bash ./key.sh --ssl-domain=rancher.jiangpeng.com --ssl-size=2048 --ssl-date=3650
vim /etc/hosts
rancher.jiangpeng.com 192.168.6.6
kubectl create ns cattle-system
kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=tls.crt --key=tls.key
kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=/etc/kubernetes/pki/cacerts.pem
helm install rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.jiangpeng.com --set bootstrapPassword=admin --set ingress.tls.source=secret --set privateCA=true
结果:
集群安装成功,导入集群失败
预期结果: 集群安装成功,集群导入成功
其他上下文信息:
日志
[root@master ~]# kubectl logs -n cattle-system cattle-cluster-agent-5b87bc4b56-dwp2q
INFO: Environment: CATTLE_ADDRESS=10.244.219.77 CATTLE_CA_CHECKSUM=68a74389db293a6cfd6239ca9b73c055e21802f877d2a0580fcc869c130c0414 CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://10.102.176.218:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://10.102.176.218:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.102.176.218 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://10.102.176.218:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.102.176.218 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.102.176.218 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=7d6c40af-20fa-4385-a550-a70464342a91 CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-5b87bc4b56-dwp2q CATTLE_RANCHER_WEBHOOK_VERSION= CATTLE_SERVER=https://rancher.jiangpeng.com:64058 CATTLE_SERVER_VERSION=v2.8.3
INFO: Using resolv.conf: nameserver 10.96.0.10 search cattle-system.svc.cluster.local svc.cluster.local cluster.local localdomain options ndots:5
INFO: https://rancher.jiangpeng.com:64058/ping is accessible
INFO: rancher.jiangpeng.com resolves to 192.168.6.6
INFO: Value from https://rancher.jiangpeng.com:64058/v3/settings/cacerts is an x509 certificate
time="2024-04-22T04:11:01Z" level=info msg="Listening on /tmp/log.sock"
time="2024-04-22T04:11:01Z" level=info msg="Rancher agent version v2.8.3 is starting"
time="2024-04-22T04:11:01Z" level=info msg="Certificate details from https://rancher.jiangpeng.com:64058"
time="2024-04-22T04:11:01Z" level=info msg="Certificate #0 (https://rancher.jiangpeng.com:64058)"
time="2024-04-22T04:11:01Z" level=info msg="Subject: CN=dynamic,O=dynamic"
time="2024-04-22T04:11:01Z" level=info msg="Issuer: CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org"
time="2024-04-22T04:11:01Z" level=info msg="IsCA: false"
time="2024-04-22T04:11:01Z" level=info msg="DNS Names: [rancher.jiangpeng.com]"
time="2024-04-22T04:11:01Z" level=info msg="IPAddresses: [10.244.166.165 10.244.166.180 10.244.166.187 10.98.103.19]"
time="2024-04-22T04:11:01Z" level=info msg="NotBefore: 2024-04-21 15:42:31 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="NotAfter: 2025-04-22 02:48:16 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="SignatureAlgorithm: ECDSA-SHA256"
time="2024-04-22T04:11:01Z" level=info msg="PublicKeyAlgorithm: ECDSA"
time="2024-04-22T04:11:01Z" level=info msg="Certificate #1 (https://rancher.jiangpeng.com:64058)"
time="2024-04-22T04:11:01Z" level=info msg="Subject: CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org"
time="2024-04-22T04:11:01Z" level=info msg="Issuer: CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org"
time="2024-04-22T04:11:01Z" level=info msg="IsCA: true"
time="2024-04-22T04:11:01Z" level=info msg="DNS Names: <none>"
time="2024-04-22T04:11:01Z" level=info msg="IPAddresses: <none>"
time="2024-04-22T04:11:01Z" level=info msg="NotBefore: 2024-04-21 15:42:31 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="NotAfter: 2034-04-19 15:42:31 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="SignatureAlgorithm: ECDSA-SHA256"
time="2024-04-22T04:11:01Z" level=info msg="PublicKeyAlgorithm: ECDSA"
time="2024-04-22T04:11:01Z" level=info msg="Certificate details for /etc/kubernetes/ssl/certs/serverca"
time="2024-04-22T04:11:01Z" level=info msg="Certificate #0 (/etc/kubernetes/ssl/certs/serverca)"
time="2024-04-22T04:11:01Z" level=info msg="Subject: CN=kubernetes"
time="2024-04-22T04:11:01Z" level=info msg="Issuer: CN=kubernetes"
time="2024-04-22T04:11:01Z" level=info msg="IsCA: true"
time="2024-04-22T04:11:01Z" level=info msg="DNS Names: [kubernetes]"
time="2024-04-22T04:11:01Z" level=info msg="IPAddresses: <none>"
time="2024-04-22T04:11:01Z" level=info msg="NotBefore: 2023-09-18 15:32:49 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="NotAfter: 2033-09-15 15:37:49 +0000 UTC"
time="2024-04-22T04:11:01Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2024-04-22T04:11:01Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2024-04-22T04:11:01Z" level=error msg="Issuer of last certificate found in chain (CN=dynamiclistener-ca@1713714151,O=dynamiclistener-org) does not match with CA certificate Issuer (CN=kubernetes). Please check if the configured server certificate contains all needed intermediate certificates and make sure they are in the correct order (server certificate first, intermediates after)"
time="2024-04-22T04:11:01Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"https://rancher.jiangpeng.com:64058\": tls: failed to verify certificate: x509: certificate signed by unknown authority"