Cattle Cluster Agent failing to get cacert

marcblecher · May 25, 2018, 7:18am

Cattle Cluster Agent keeps failing with
ERROR: Failed to pull the cacert from the rancher server settings at https://myserver/v3/settings/cacerts. I’m using self signed certs. I can get to the URL just fine in a browser. Any ideas why this might happen?

arcastroe · May 28, 2018, 3:10am

I am also getting this error on a new cluster, initialized from RKE.

After the cluster is initialized, I set the rancher-server admin password, navigate to the local cluster, navigate to Projects/Namespaces create a new Rancher-Server project, add the cattle-system namespace to it

And then I see this:

etlweather · May 28, 2018, 1:29pm

Similar to: https://github.com/rancher/rancher/issues/13615

superseb · June 8, 2018, 8:48am

It’s not similar, failed to pull or having an incorrect checksum are different things.

This is the code that’s being run (https://github.com/rancher/rancher/blob/master/package/run.sh#L142), what is the response when you run curl --insecure -s -fL $CATTLE_SERVER/v3/settings/cacerts inside the container?

arcastroe · June 17, 2018, 9:27pm

The root cause in my case was that the DNS could not resolve any domain within the cattle-cluster-agent workload. I had been trying to install rancher on a baremetal Ubuntu Bionic Beaver (18.04) host, which ships with it’s own DNS servers (listening on 127.0.0.1:53) as part of the systemd-resolved service. This had resulted in a port-conflict with kube-dns since they were both trying to listen on port 53.

The problems with dns here manifested themselves as the Failed to pull the cacert from the rancher server settings at https://myserver/v3/settings/cacerts error since myserver could not be resolved.

–

To disable ubuntu’s default dns server to free up port 53, I ended up doing the following

Add ‘127.0.0.1 localhost’ to /etc/hosts file
update /etc/resolv.conf to only include:
nameserver 8.8.8.8
nameserver 8.8.4.4
Run the following:
sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop

superseb · June 18, 2018, 8:05am

Supported OS’ include:

Operating System
Ubuntu 16.04 (64-bit)
Red Hat Enterprise Linux 7.5 (64-bit)
RancherOS 1.3.0 (64-bit)

For tracking Ubuntu 18.04 support: https://github.com/rancher/rancher/issues/13888

Topic		Replies	Views
Unable to import local minikube cluster due to certification error SUSE Rancher Prime	0	745	July 4, 2018
Rancher 2.2.7 Fresh Install - cacerts issues (self signed cert) SUSE Rancher Prime	3	1958	February 29, 2020
Cattle-cluster-agent crashloopbackoff - Help me! SUSE Rancher Prime	7	3985	June 27, 2022
[Rancher 2.6.3] Configured cacerts checksum does not match given --ca-checksum when using metallb and cert manager SUSE Rancher Prime	4	3477	May 23, 2022
New install of Rancher v2.5.1, cattle-cluster-agent can't resolve the Rancher host SUSE Rancher Prime	3	5449	July 16, 2021

Cattle Cluster Agent failing to get cacert

Related topics