profile
viewpoint

Ask questionsFailed to get /health for host - remote error: tls: bad certificate

Getting Failed to get /health for host - remote error: tls: bad certificate when trying to upgrade an existing cluster. No modification to certificates have been done.

RKE version: rke version v0.2.1

Docker version:

Client:
 Version:           18.06.3-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        d7080c1
 Built:             Wed Feb 20 02:27:18 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.3-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       d7080c1
  Built:            Wed Feb 20 02:26:20 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Operating system and kernel: (cat /etc/os-release, uname -r preferred) 16.04.4 LTS (Xenial Xerus) 4.4.0-116-generic

Type/provider of hosts: (VirtualBox/Bare-metal/AWS/GCE/DO) ESXi Virtual Machine

cluster.yml file:

nodes:
  - address: 10.10.7.121
    user: daniel
    role: [controlplane,worker,etcd]
  - address: 10.10.7.122
    user: daniel
    role: [controlplane,worker,etcd]
  - address: 10.10.7.123
    user: daniel
    role: [controlplane,worker,etcd]

services:
  etcd:
    snapshot: true
    creation: 6h
    retention: 24h

Steps to Reproduce: ./rke -d up

Results:

...
DEBU[0028] [remove/rke-log-linker] Container doesn't exist on host [10.10.7.123] 
DEBU[0028] [etcd] Checking image [rancher/rke-tools:v0.1.27] on host [10.10.7.123] 
DEBU[0028] Checking if image [rancher/rke-tools:v0.1.27] exists on host [10.10.7.123] 
DEBU[0028] Image [rancher/rke-tools:v0.1.27] exists on host [10.10.7.123] 
DEBU[0028] [etcd] No pull necessary, image [rancher/rke-tools:v0.1.27] exists on host [10.10.7.123] 
INFO[0029] [etcd] Successfully started [rke-log-linker] container on host [10.10.7.123] 
DEBU[0029] [remove/rke-log-linker] Checking if container is running on host [10.10.7.123] 
DEBU[0029] [remove/rke-log-linker] Removing container on host [10.10.7.123] 
INFO[0029] [remove/rke-log-linker] Successfully removed container on host [10.10.7.123] 
DEBU[0029] [etcd] Successfully created log link for Container [etcd] on host [10.10.7.123] 
INFO[0029] [etcd] Successfully started etcd plane.. Checking etcd cluster health 
DEBU[0029] [etcd] Check etcd cluster health             
DEBU[0029] Failed to get /health for host [10.10.7.121]: Get https://10.10.7.121:2379/health: remote error: tls: bad certificate 
DEBU[0034] Failed to get /health for host [10.10.7.121]: Get https://10.10.7.121:2379/health: remote error: tls: bad certificate 
DEBU[0039] Failed to get /health for host [10.10.7.121]: Get https://10.10.7.121:2379/health: remote error: tls: bad certificate 
DEBU[0044] [etcd] Check etcd cluster health             
DEBU[0045] Failed to get /health for host [10.10.7.122]: Get https://10.10.7.122:2379/health: remote error: tls: bad certificate 
DEBU[0050] Failed to get /health for host [10.10.7.122]: Get https://10.10.7.122:2379/health: remote error: tls: bad certificate 
DEBU[0055] Failed to get /health for host [10.10.7.122]: Get https://10.10.7.122:2379/health: remote error: tls: bad certificate 
DEBU[0060] [etcd] Check etcd cluster health             
DEBU[0060] Failed to get /health for host [10.10.7.123]: Get https://10.10.7.123:2379/health: remote error: tls: bad certificate 
DEBU[0065] Failed to get /health for host [10.10.7.123]: Get https://10.10.7.123:2379/health: remote error: tls: bad certificate 
DEBU[0070] Failed to get /health for host [10.10.7.123]: Get https://10.10.7.123:2379/health: remote error: tls: bad certificate 
FATA[0075] [etcd] Failed to bring up Etcd Plane: [etcd] Etcd Cluster is not healthy 
```
rancher/rke

Answer questions ChrisHaPunkt

Same here. Broke my Cluster with that. Downgraded rke to 0.1.17. And re-up'ed my config with placed-working-kube_config. Works again.

Edit: Tested with an experimental cluster: Even a newly generated cluster (rke 0.2.1 + k8s 13.5) fails with error tls: bad-certificate when same cluster.yml was run a second time against the same cluster with rke up --config cluster.yml.

Docker: 18.06 on RHEL 7.5

useful!

Related questions

"Failed to reconcile etcd plane" when updating RKE binary hot 3
Failed to rotate expired certificates on an RKE cluster: unable to reach api server to fetch CA hot 2
Error response from daemon: chown /etc/resolv.conf: operation not permitted hot 1
Pods can't reach networks outside of node hot 1
rke 0.1.17 Can't initiate NewClient: protocol not available hot 1
Calico node failed to start after upgrading the cluster hot 1
Job rke-network-plugin-deploy-job never completes (virtualbox) hot 1
rke up --local fails to deploy successfully hot 1
Job rke-network-plugin-deploy-job never completes (virtualbox) hot 1
go panic on intial rke up hot 1
Unable to update cluster "crypto/rsa: verification error" hot 1
Calico node failed to start after upgrading the cluster hot 1
pods in "CrashLoopBackOff" status after restoring from backup hot 1
[SOLVED] Failed to apply the ServiceAccount needed for job execution: Post https://10.102.X.X:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings: Forbidden hot 1
cluster certificate not generated by default? hot 1
Github User Rank List