Rke2+Rancher2.6 Server创建集群时集群节点(rke2集群)报 CA cert ... no such file or directory,error while appending ca cert to pool

测试环境:
用一台Ubuntu20.04单点运行 Rke2+Rancher Server
另一台Ubuntu20.04节点创建集群服务

Rancher Server 设置

  • Rancher 版本:Rancher2.6.3
  • 安装选项 (Docker install/Helm Chart):
    • 如果是 Helm Chart 安装,需要提供 Local 集群的类型RKE2和版本:v1.21.7+rke2r2
  • 在线:

下游集群信息

  • Kubernetes 版本: v1.22.7+rke2r2
  • Cluster Type (Local):

用户信息

  • 登录用户的角色是什么? 管理员

**问题描述:
自有证书,无论是用CA证书(阿里云申请的免费证书拿到本地使用,下载的是适用Nginx模版的证书,有pem和key两个证书文件),还是用自签名证书,进入Rancher管理后台创建Rke2集群 MyCluster(对自签名证书,已经在Rancher Server和MyCluster的“Agent Environment Vars”增加 GODEBUG = x509ignoreCN=0 变量),但是在节点创建集群服务(Rke2)时总是提示证书无效

已经确认:
1、阿里云申请的证书没问题
2、自签名证书已增加
3、并且确认Rancher Server上都存在以下证书
/var/lib/rancher/rke2/server/tls/kube-scheduler/kube-scheduler.crt
/var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt
/var/lib/rancher/rke2/server/tls/client-kube-apiserver.key
/var/lib/rancher/rke2/server/tls/server-ca.crt

重现步骤:

阿里云证书

kubectl -n cattle-system create secret tls tls-rancher-ingress
–cert=aliyun.pem
–key=aliyun.key

helm install rancher rancher-stable/rancher
–namespace cattle-system
–set hostname=tmp.weifor.com
–set bootstrapPassword=123456
–set ingress.tls.source=secret
–set rancherImage=registry.cn-hangzhou.aliyuncs.com/rancher/rancher
–set systemDefaultRegistry=registry.cn-hangzhou.aliyuncs.com
–set rancherImageTag=v2.6.3

自签名

kubectl -n cattle-system create secret tls tls-rancher-ingress
–cert=tls.crt
–key=tls.key

kubectl -n cattle-system delete secret tls-rancher-ingress

kubectl -n cattle-system create secret generic tls-ca
–from-file=cacerts.pem=./cacerts.pem

kubectl -n cattle-system delete secret tls-ca

helm install rancher rancher-stable/rancher
–namespace cattle-system
–set hostname=tmp.weifor.com
–set bootstrapPassword=123456
–set ingress.tls.source=secret
–set privateCA=true
–set rancherImage=registry.cn-hangzhou.aliyuncs.com/rancher/rancher
–set systemDefaultRegistry=registry.cn-hangzhou.aliyuncs.com
–set rancherImageTag=v2.6.3

结果:

预期结果:

**截图:

其他上下文信息:



日志
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=error msg="error loading CA cert /var/lib/rancher/rke2/server/tls/kube-scheduler/kube-scheduler.crt: open /var/lib/rancher/rke2/server/tls/kube-scheduler/kube-scheduler.crt: no such file or directory"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=error msg="error while appending ca cert to pool"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=debug msg="Probe timeout duration: 5 seconds"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=debug msg="[Prober] (kube-apiserver) running probe"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=debug msg="[Prober] (kube-apiserver) retrieving existing probe status from map if existing"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=error msg="error loading x509 client cert/key (/var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt//var/lib/rancher/rke2/server/tls/client-kube-apiserver.key): open /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: no such file or directory"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=error msg="error loading CA cert /var/lib/rancher/rke2/server/tls/server-ca.crt: open /var/lib/rancher/rke2/server/tls/server-ca.crt: no such file or directory"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=error msg="error while appending ca cert to pool"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=debug msg="Probe timeout duration: 5 seconds"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=debug msg="[Prober] (kube-controller-manager) running probe"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=debug msg="[Prober] (kube-controller-manager) retrieving existing probe status from map if existing"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=error msg="error loading CA cert /var/lib/rancher/rke2/server/tls/kube-controller-manager/kube-controller-manager.crt: open /var/lib/rancher/rke2/server/tls/kube-controller-manager/kube-controller-manager.crt: no such file or directory"
Mar 29 04:32:22 pc rancher-system-agent[1769]: time="2022-03-29T04:32:22Z" level=error msg="error while appending ca cert to pool"
1 个赞

从操作步骤来看,没发现任何问题,等我有时间我按照你的重现步骤测试下,然后再回复

目前基于不用《国内镜像》,对阿里云申请的免费CA证书测试通过
helm install rancher rancher-latest/rancher
–namespace cattle-system
–set hostname=tmp.weifor.com
–set bootstrapPassword=123456
–set ingress.tls.source=secret

多谢回复,我稍后会看下原因

–set bootstrapPassword=123456
请问下这个密码是启动后的admin的密码吗?

不是,是 bootstrapPassword ,就是在你进入到 UI 设置 admin 密码之前,需要让你设置一个 bootstrapPassword。这个密码设置争取后,才可以设置 admin 的密码。

就知道 –set bootstrapPassword=xxx 这个参数会有很多人用到,并且也很有用,所以顺便贴出来供大家参考