This is due to the cattle-webhook-tls in the cattle-system namespace (typically within the Rancher Management cluster) having expired.
You can confirm this by checking the rancher pod logs in the cattle-system namespace (an error similar to the below should be seen):
2022/06/27 13:02:23 [ERROR] API error response 500 for POST /v3-public/activeDirectoryProviders/activedirectory?action=login. Cause: Internal error occurred: failed calling webhook "rancherauth.cattle.io": Post "https://rancher-webhook.cattle-system.svc:443/v1/webhook/validation?timeout=10s": x509: certificate has expired or is not yet valid: current time 2022-06-27T15:01:01Z is after 2022-02-18T11:17:18Z
Confirm the cattle-webhook-tls secret expiry date:
$ k -n cattle-system get secret -o yaml cattle-webhook-tls -o jsonpath='{ .data.tls\.crt }' | base64 -d | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5536570337783795717 (0x4cd5d96361915005)
Signature Algorithm: ecdsa-with-SHA256
Issuer: O = dynamiclistener-org, CN = dynamiclistener-ca
Validity
Not Before: Feb 18 11:17:18 2021 GMT
Not After : Feb 18 11:17:18 2022 GMTBackup the existing secret (just in case):
$ k -n cattle-system get secret -o yaml cattle-webhook-tls > cattle-webhook-tls.orig.secret.yaml
Delete the secret and restart (delete) the rancher-webhook pod.
# Delete cattle-webhook-tls $ k -n cattle-system delete secrets cattle-webhook-tls # Delete rancher-webhook pod $ k -n cattle-system delete pod rancher-webhook-b5b7b76c4-w2grs
Confirm the new cattle-webhook-tls secret's certificate expiry date:
$ k -n cattle-system get secret -o yaml cattle-webhook-tls -o jsonpath='{ .data.tls\.crt }' | base64 -d | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 524978744967777451 (0x7491963186f4cab)
Signature Algorithm: ecdsa-with-SHA256
Issuer: O = dynamiclistener-org, CN = dynamiclistener-ca
Validity
Not Before: Feb 18 11:17:18 2021 GMT
Not After : Jun 27 13:14:44 2023 GMT