deploy_rancher_with_certs.md

setting up Rancher with certs - example

Docs : https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/add-tls-secrets

install rke2

curl -sfL https://get.rke2.io |  sh -

set up env

echo "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/usr/local/bin/:/var/lib/rancher/rke2/bin/" >> ~/.bashrc
source ~/.bashrc

install helm

curl -s https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

add repos

helm repo add rancher-latest https://releases.rancher.com/server-charts/latest --force-update 
helm repo add jetstack https://charts.jetstack.io --force-update 

install cert-manager

helm upgrade -i cert-manager jetstack/cert-manager -n cert-manager --create-namespace --set crds.enabled=true 

add secrets

kubectl create ns cattle-system

kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=/root/star.rfed.io.cert --key=/root/star.rfed.io.key

kubectl -n cattle-system create secret generic tls-ca --from-file=/root/cacerts.pem 

install rancher with tls certs

helm upgrade -i rancher rancher-latest/rancher -n cattle-system --create-namespace --set hostname=rancher.rfed.io --set bootstrapPassword=bootStrapAllTheThings --set replicas=1 --set ingress.tls.source=secret --set ingress.tls.secretName=tls-rancher-ingress --set privateCA=true 

There are a lot of variables to check. What does your config.yaml look like on the server and the agent nodes?
Did you change certs?
What does the network look like for the nodes?

thank you @clemenko

I'm using RKE2 with Rancher installed via Helm in the cattle-system namespace.
I did not set a config.yaml manually for Rancher itself, but here are the relevant Helm values passed during installation:

hostname:
replicas: 3
ingress:
enabled: true
tls:
source: secret
secretName: tls-ingress
privateCA: true

The tls-ingress secret contains:
tls.crt: TLS certificate (Authorized CA), (with full chain, including intermediate)
tls.key: Private key
and also created secret with root CA

I have created cluster on rancher and using the node registration command provided by Rancher UI. Here's the structure of the command I'm using:
curl -fL https:///system-agent-install.sh | sudo sh -s - --server https:// --label 'cattle.io/os=linux' --token --ca-checksum --etcd --controlplane

The agent successfully:
Connects to Rancher
Downloads the system-agent binary and uninstall script
But times out when trying to fetch Rancher connection info:

[ERROR] 000 received while downloading Rancher connection information. Sleeping for 5 seconds and trying again
curl: (28) Operation timed out after 60002 milliseconds with 0 bytes received

steps I followed:

1. Deploy Rancher on RKE2 cluster using Helm with TLS certificate.
2. Access Rancher via https:// , UI loads correctly in the browser.
3. Create a custom cluster on rancher UI and copy the node registration command.
4. Run the node registration script on a separate Ubuntu machine.
5. Observe the timeout during "downloading Rancher connection information".

For additional Information

oh cool. Did you blank out he server name in the command curl -fL https:///system-agent-install.sh | sudo sh -s - --server https:// --label 'cattle.io/os=linux' --token --ca-checksum --etcd --controlplane or was it kike that from the system?

Also what kind of cluster are you adding? I am running "Import Existing" and it gives me the following curl. Notice the full url.

Similar with create.

I have create custom cluster using rancher UI
and try to run registration command on each of the node by defining the role as controlplane, etcd or worker
my command is as shown in 2nd screenshot

Can you confirm that A. command has a server address in it like "rancher.rfed.io" in mine. And B. That the nodes have 443/6443 access to the Rancher server?

yes, command has server address and also have 443/6443 access
I troubleshoot little and think this is problem related to token validation or authontication

Is there a script output from the node itself?

i saw rancher script to register a new node (system-agent-install.sh)
I stuck at connecting to https:///v3/connect/register

when manually try to curl this url, I get 401 Authontication error

Are you able to join the Rancher Users Slack https://slack.rancher.io/ ? That would be a better place to post logs and other conversations.

sure, Thank you!