Error while importing cluster to rancher

Support
21

Hi Syed,

So after creating this new certificate should I rebuild the cluster and then import onto the rancher?

I have noticed that the Kubernetes nodes are currently in the SchedulingDisabled state – Can you please clarify output are you referring to? When I am checking the status the output is as below.

mosip-app-host-01   Ready    controlplane,etcd,worker   15d   v1.22.9
mosip-app-host-02   Ready    controlplane,etcd,worker   15d   v1.22.9
mosip-app-host-03   Ready    controlplane,etcd,worker   15d   v1.22.9
mosip-app-host-04   Ready    controlplane,worker        15d   v1.22.9
mosip-app-host-05   Ready    controlplane,worker        15d   v1.22.9
22

You don’t have to rebuild the cluster, just delete the existing failed one from Rancher and try to import it again.

Can you please clarify output are you referring to?
You should be able to import the cluster after regenerating new SSL certs

When I am checking the status the output is as below.
The status looks fine.

23

Tried using the newly generated certificate created as per the mentioned procedure but there is no change in the status. Is it possible to plan a remote session?

I am also facing challenge posting the responses as it currently limits me to two posts

24

Hi @arjunsukumar can you please share the latest logs for this issue

25

INFO: Environment: CATTLE_ADDRESS=10.42.1.34 CATTLE_CA_CHECKSUM= CATTLE_CLUSTER=true CATTLE_CLUSTER_AGENT_PORT=tcp://10.43.232.140:80 CATTLE_CLUSTER_AGENT_PORT_443_TCP=tcp://10.43.232.140:443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_ADDR=10.43.232.140 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PORT=443 CATTLE_CLUSTER_AGENT_PORT_443_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_PORT_80_TCP=tcp://10.43.232.140:80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_ADDR=10.43.232.140 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PORT=80 CATTLE_CLUSTER_AGENT_PORT_80_TCP_PROTO=tcp CATTLE_CLUSTER_AGENT_SERVICE_HOST=10.43.232.140 CATTLE_CLUSTER_AGENT_SERVICE_PORT=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTP=80 CATTLE_CLUSTER_AGENT_SERVICE_PORT_HTTPS_INTERNAL=443 CATTLE_CLUSTER_REGISTRY= CATTLE_INGRESS_IP_DOMAIN=kvaliteta.com CATTLE_INSTALL_UUID=7dfa2c7b-7ca4-4104-80ad-1dc41e457a2b CATTLE_INTERNAL_ADDRESS= CATTLE_IS_RKE=false CATTLE_K8S_MANAGED=true CATTLE_NODE_NAME=cattle-cluster-agent-568c45476f-tqjqx CATTLE_RANCHER_WEBHOOK_MIN_VERSION= CATTLE_RANCHER_WEBHOOK_VERSION=2.0.5+up0.3.5 CATTLE_SERVER=https://rancher.kvaliteta.com CATTLE_SERVER_VERSION=v2.7.5
INFO: Using resolv.conf: nameserver 10.43.0.10 search cattle-system.svc.kvaliteta.com svc.kvaliteta.com kvaliteta.com options ndots:5
INFO: https://rancher.kvaliteta.com/ping is accessible
INFO: rancher.kvaliteta.com resolves to 192.168.1.46
time=“2023-08-10T10:57:56Z” level=info msg=“Listening on /tmp/log.sock”
time=“2023-08-10T10:57:56Z” level=info msg=“Rancher agent version v2.7.5 is starting”
time=“2023-08-10T10:57:56Z” level=info msg=“Certificate details from https://rancher.kvaliteta.com
time=“2023-08-10T10:57:56Z” level=info msg=“Certificate #0 (https://rancher.kvaliteta.com)”
time=“2023-08-10T10:57:56Z” level=info msg=“Subject: CN=.kavliteta.com,OU=MOSIP,O=ORG,L=TVM,ST=KER,C=IN"
time=“2023-08-10T10:57:56Z” level=info msg="Issuer: CN= .kavliteta.com,OU=MOSIP,O=ORG,L=TVM,ST=KER,C=IN”
time=“2023-08-10T10:57:56Z” level=info msg=“IsCA: true”
time=“2023-08-10T10:57:56Z” level=info msg=“DNS Names: [*.kvaliteta.com]”
time=“2023-08-10T10:57:56Z” level=info msg=“IPAddresses: ”
time=“2023-08-10T10:57:56Z” level=info msg=“NotBefore: 2023-08-10 10:54:16 +0000 UTC”
time=“2023-08-10T10:57:56Z” level=info msg=“NotAfter: 2025-07-10 10:54:16 +0000 UTC”
time=“2023-08-10T10:57:56Z” level=info msg=“SignatureAlgorithm: SHA256-RSA”
time=“2023-08-10T10:57:56Z” level=info msg=“PublicKeyAlgorithm: RSA”
time=“2023-08-10T10:57:56Z” level=fatal msg=“Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get “https://rancher.kvaliteta.com”: x509: certificate signed by unknown authority”

26

sudo docker run -it --mount type=volume,src=‘gensslcerts’,dst=/home/mosip/ssl,volume-driver=local
-e VALIDITY=700
-e COUNTRY=IN
-e STATE=KER
-e LOCATION=TVM
-e ORG=Kvaliteta
-e ORG_UNIT=MOSIP
-e COMMON_NAME=*.kavliteta.com
-v /home/kvaliteta/mosip-utilities/openssl/entrypoint.sh:/home/mosip/entrypoint.sh
mosipdev/openssl:latest

27

#!/bin/bash

sudo openssl req -x509 -nodes -days $VALIDITY -newkey rsa:2048
-keyout /home/$(whoami)/ssl/private/nginx-selfsigned.key
-out /home/$(whoami)/ssl/certs/nginx-selfsigned.crt
-addext “subjectAltName = DNS:*.kvaliteta.com”
–subj “/C=$COUNTRY/ST=$STATE/L=$LOCATION/O=ORG/OU=$ORG_UNIT/CN=$COMMON_NAME/”
kvaliteta@obs-ngnix:~/mosip-utilities/openssl$

28

Hello @sanchi-singh24 , was this error fixed ? Am currently facing the same issue.

29

Let me check with my devOps team and get back to you on this.

30

Okay then. Let me wait for your update from the devops team.

31

@mazboko can you please follow this document Adding TLS Secrets | Rancher to add the rancher nginx ssl certificate to rancher-ui and cattle-system

1 Like
32

Many thanks. How do i go about the error when installing kafka? The chart repo can not be reached

33

if the error is not related please open another thread. This will help any new comers to understand the issue better.

34

Hi @mazboko

For your kafka issue you can open a new thread with us and we will guide you through the process. It will be easy for you to understand the solution from our end.

Regards,
Team MOSIP