当尝试将一个使用现有CA证书的kubernetes集群导入Rancher时,出现证书错误。文章详细描述了从现象、背景到排障的整个过程,包括将证书安装到节点和Pod、配置ConfigMap、挂载到Deployment,以及在容器中执行命令的尝试。最终发现Rancher的预期证书路径与实际不符,通过调整证书挂载路径和环境变量,成功解决了报错。
rancher导入集群时证书报错
现象
导入集群时,cattle-cluster-agent报错如下:
time="2022-06-28T08:00:28Z" level=error msg="Issuer of last certificate found in chain (CN=xmh-k8s-ca,OU=systemGroup,O=k8s,L=HD,ST=BJ,C=CN) does not match with CA certificate Issuer (CN=dynamiclistener-ca,O=dynamiclistener-org). Please check if the configured server certificate contains all needed intermediate certificates and make sure they are in the correct order (server certificate first, intermediates after)"
time="2022-06-28T08:00:28Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get \"https://rch.72.xmh\": x509: certificate signed by unknown authority"
背景
最开始用kubeadm搭建了v1.21.2的k8s,后来又搭建了v1.22.6版本的k8s(也是用kubeadm),为了方便说明,下文以k8s21和k8s22指代。
在搭建k8s22时用的是已有的tls证书,搭建之后还用同样的ca证书部署了cert-manager(v1.7.1),并用同样的ca证书创建了
最低0.47元/天 解锁文章
扫一扫
2188
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
