[rancher-cli] rancher login --skip-verify leads to FATA[0000] CACerts is not valid

[arthurzenika]

What kind of request is this (question/bug/enhancement/feature request):

bug

Steps to reproduce (least amount of steps as possible):

# $ rancher login -h
Login to a Rancher server

Usage: 
  rancher login [OPTIONS] [SERVERURL]

Options:
   --context value          Set the context during login
   --token value, -t value  Token from the Rancher UI
   --cacert value           Location of the CACerts to use
   --name value             Name of the Server
   --skip-verify            Skip verification of the CACerts presented by the Server

# rancher  login --skip-verify --token token-xxx:xxxx https://kubernetes.example.org:8443/v3

Result:

FATA[0000] CACerts is not valid                         

Tried to download the certs and store them in a file, not better (or does the file need to be json?) :

# rancher  login ---cacert ~/.rancher/cacerts -skip-verify --token token-xxx:xxxx https://kubernetes.example.org:8443/v3
FATA[0000] No cert was found                            

Other details that may be helpful:

Environment information

$ rancher --version
rancher version v2.2.0-rc5

[gitlawr]

The error message is from validation for the CA attribute of cacerts.
According to the manual,

A CA certificate must include the basicConstraints value with the CA field set to TRUE. An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates.

Can you check if your CA certificate includes the basicConstraints extension with the CA field set?

[nlevee]

I have the same Issue, my certificate extensions are like this :

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

[ainiml]

I'm also getting this with a rke + helm install of rancher

rancher login

FATA[0000] No cert was found

#25827

[ainiml]

We also get the error Certificate chain is not complete in cattle-cluster-agent when installing rancher with helm using --set ingress.tls.source=rancher

NAMESPACE       NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
cattle-system   cattle-cluster-agent      0/1     1            0           7m56s
cattle-system   rancher                   1/1     1            1           11m
cert-manager    cert-manager              1/1     1            1           12m
cert-manager    cert-manager-cainjector   1/1     1            1           12m
cert-manager    cert-manager-webhook      1/1     1            1           12m
ingress-nginx   default-http-backend      1/1     1            1           12m
kube-system     coredns                   1/1     1            1           12m
kube-system     coredns-autoscaler        1/1     1            1           12m
kube-system     metrics-server            1/1     1            1           12m

time="2020-05-20T04:47:44Z" level=info msg="Subject: CN=Fake LE Intermediate X1"
time="2020-05-20T04:47:44Z" level=info msg="Issuer: CN=Fake LE Root X1"
time="2020-05-20T04:47:44Z" level=info msg="IsCA: true"
time="2020-05-20T04:47:44Z" level=info msg="DNS Names: <none>"
time="2020-05-20T04:47:44Z" level=info msg="IPAddresses: <none>"
time="2020-05-20T04:47:44Z" level=info msg="NotBefore: 2016-05-23 22:07:59 +0000 UTC"
time="2020-05-20T04:47:44Z" level=info msg="NotAfter: 2036-05-23 22:07:59 +0000 UTC"
time="2020-05-20T04:47:44Z" level=info msg="SignatureAlgorithm: SHA256-RSA"
time="2020-05-20T04:47:44Z" level=info msg="PublicKeyAlgorithm: RSA"
time="2020-05-20T04:47:44Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get https://dream.n7sa.com: x509: certificate signed by unknown authority"

time="2020-05-20T04:47:44Z" level=fatal msg="Certificate chain is not complete, please check if all needed intermediate certificates are included in the server certificate (in the correct order) and if the cacerts setting in Rancher either contains the correct CA certificate (in the case of using self signed certificates) or is empty (in the case of using a certificate signed by a recognized CA). Certificate information is displayed above. error: Get https://dream.n7sa.com: x509: certificate signed by unknown authority"

[mamiu]

I also get this error when I run

rancher login https://my.local.demo.cluster/v3 --name demo --token token-d9xp4:2gbfc87... --skip-verify

The SSL certificate is a letsencrypt staging certificate from Fake LE Intermediate X1.

[wirwolf]

rancher --version
rancher version v2.4.5

curl -vvv -k https://rancher.******.net/
*   Trying 135.181.0.113:443...
* TCP_NODELAY set
* Connected to rancher.********.net (***.***.***.***) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.***********.net
*  start date: Mar 29 10:54:36 2021 GMT
*  expire date: Jun 27 10:54:36 2021 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: certificate has expired (10), continuing anyway.
* Using HTTP2, server supports multi-use

rancher login https://rancher.*****.net/v3 --skip-verify --token token-cn6rn:********* --context c-8s27q:p-dzzsx
FATA[0000] Get https://rancher.*****.net/v3: x509: certificate has expired or is not yet valid 

[stale]

This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions.

[wjl]

Although this was "closed" in 2021, this issue still exists in July 2023, encountered while trying to work through the Rancher Academy Intro to Rancher video tutorial. My error message is slightly different, but still is not skipping verification when --skip-verify is provided:

rancher login --token token-6z4h4:cn5x8gpfbjpv7m7vsglprqv5wnrshcv7jwd7k5gwpngkvs748qm54d --skip-verify https://rapture.127.0.0.1.sslip.io
FATA[0000] Get "https://rapture.127.0.0.1.sslip.io/v3": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "dynamiclistener-ca@1690659182")