Rancher2.9.3导入已有集群失败，提示unable to read CA file from /etc/kubernetes/ssl/certs/serverca

ss6971 · 2024 年11 月 17 日 14:24

**Rancher Server 设置

Rancher 版本：2.9.3
安装选项 (Docker install/Helm Chart):
- 如果是 Helm Chart 安装，需要提供 Local 集群的类型（RKE1, RKE2, k3s, EKS, 等）和版本：
在线或离线部署：

下游集群信息

Kubernetes 版本: v1.30.4+rke2r1
Cluster Type (Local/Downstream):
- 如果 Downstream，是什么类型的集群?(自定义/导入或为托管等):

用户信息

登录用户的角色是什么？（管理员/集群所有者/集群成员/项目所有者/项目成员/自定义）：
- 如果自定义，自定义权限集：

主机操作系统：

问题描述：

重现步骤：

结果：

预期结果：

截图：

其他上下文信息：

日志

time="2024-11-17T14:20:18Z" level=info msg="Listening on /tmp/log.sock"
time="2024-11-17T14:20:18Z" level=info msg="Rancher agent version v2.9.3 is starting"
time="2024-11-17T14:20:18Z" level=error msg="unable to read CA file from /etc/kubernetes/ssl/certs/serverca: open /etc/kubernetes/ssl/certs/serverca: no such file or directory"
time="2024-11-17T14:20:18Z" level=error msg="Strict CA verification is enabled but encountered error finding root CA"
INFO: Environment: CATTLE_ADDRESS=10.42.0.25 CATTLE_CA_CHECKSUM= CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://10.43.60.247:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://10.43.60.247:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.43.60.247 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://10.43.60.247:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.43.60.247 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.43.60.247 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_INGRESS_IP_DOMAIN=sslip.io CATTLE_INSTALL_UUID=0622682d-a0a7-425d-8a86-0954154133cf CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-7d88ff7f7b-f5pmj CATTLE_RANCHER_PROVISIONING_CAPI_VERSION= CATTLE_RANCHER_WEBHOOK_VERSION=104.0.3+up0.5.3 CATTLE_SERVER=https://uat-rancher.anker-in.com CATTLE_SERVER_VERSION=v2.9.3
INFO: Using resolv.conf: search cattle-system.svc.cluster.local svc.cluster.local cluster.local localdomain nameserver 10.43.0.10 options ndots:5
INFO: https://uat-rancher.anker-in.com/ping is accessible
INFO: uat-rancher.anker-in.com resolves to 172.16.19.240
time="2024-11-17T14:23:07Z" level=info msg="Listening on /tmp/log.sock"
time="2024-11-17T14:23:07Z" level=info msg="Rancher agent version v2.9.3 is starting"
time="2024-11-17T14:23:07Z" level=error msg="unable to read CA file from /etc/kubernetes/ssl/certs/serverca: open /etc/kubernetes/ssl/certs/serverca: no such file or directory"
time="2024-11-17T14:23:07Z" level=error msg="Strict CA verification is enabled but encountered error finding root CA"

jacie · 2024 年11 月 18 日 03:07

ss6971 · 2024 年11 月 18 日 06:56

这边没太看懂链接里关于tls-agent-mode的信息，strict模式的值在哪里可以调整？如果不能调整，ca settings的配置入口在哪里，

ss6971 · 2024 年11 月 18 日 07:08

这里的证书不支持修改，请问是否能在集群内那里可以配置这个值