This morning, shortly after starting work I was sent a message about a problem with an application being deployed into our prod environment.
Get "https://10.96.0.1:443/api/v1?timeout=32s": x509: certificate has expired or is not yet valid: current time 2022-10-26T08:42:46Z is after 2022-10-24T13:25:26Z
Now, I'm fairly new to kubernetes but this seems like it should be a simple fix, I just need to replace the expired certificate with the new one and restart the service, right? But then, it's never really as simple as that, is it? Well, it actually is almost as simple as that. I did make a wee mistake that I'll get to later, lets get into checking that the cluster certificates actually have expired. First open a connection to the server(s) that your master nodes are running on, and run this command:
[root@RYD1KMASTERPRD02 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 24, 2022 13:26 UTC <invalid> no
apiserver Oct 24, 2022 13:26 UTC <invalid> ca no
apiserver-etcd-client Oct 24, 2022 13:26 UTC <invalid> etcd-ca no
apiserver-kubelet-client Oct 24, 2022 13:26 UTC <invalid> ca no
controller-manager.conf Oct 24, 2022 13:26 UTC <invalid> no
etcd-healthcheck-client Oct 24, 2022 13:26 UTC <invalid> etcd-ca no
etcd-peer Oct 24, 2022 13:26 UTC <invalid> etcd-ca no
etcd-server Oct 24, 2022 13:26 UTC <invalid> etcd-ca no
front-proxy-client Oct 24, 2022 13:26 UTC <invalid> front-proxy-ca no
scheduler.conf Oct 24, 2022 13:26 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 22, 2031 13:25 UTC 8y no
etcd-ca Oct 22, 2031 13:25 UTC 8y no
front-proxy-ca Oct 22, 2031 13:25 UTC 8y no
(FYI, I'm writing this on the afternoon of the 26th October) So as we can see, these certificates have expired and all need to be replaced. This can be done in a single command.
kubeadm certs renew all
This will renew all of the above certificates for you on the node you run it from. You'll need to update your admin kube config to refer to the new certificates, you can copy them from /etc/kubernetes/admin.conf
You now also need to copy these certificates to all other master nodes. This was the mistake I made, I had assumed that kubeadm would magically replicate the certificates and I wouldn't have to, and to my surprise, I was now intermittently getting the expired certificate error. It was only afterwards I realised that the other master nodes also needed the certificates replacing on, and yes, it seems obvious to me in hindsight, but I've learned something new so it's a success, in my book.
Having copied the certificates from the first master to the others, you'll notice that none of your kube services are using them yet. they have to be restarted before they can pick them up. The following commands will do that for you.
kubectl -n kube-system delete pod -l 'component=kube-apiserver'
kubectl -n kube-system delete pod -l 'component=kube-controller-manager'
kubectl -n kube-system delete pod -l 'component=kube-scheduler'
kubectl -n kube-system delete pod -l 'component=etcd'
Once you've done that, your cluster should be back to normal, operating as expected.
I hope that this has been helpful. If you have read it and have any questions/queries/comments, please feel free to send me an email to the address in the footer of this page. (Adding a comments section is on my to-do list)
About cookies on this site
We use cookies to collect and analyse information on site performance and usage, to provide social media features and to enhance and customise content and advertisements.
About cookies on this site
Cookies used on the site are categorized and below you can read about each category and allow or deny some or all of them. When categories than have been previously allowed are disabled, all cookies assigned to that category will be removed from your browser. Additionally you can see a list of cookies assigned to each category and detailed information in the cookie declaration.
Necessary cookies
Some cookies are required to provide core functionality. The website won't function properly without these cookies and they are enabled by default and cannot be disabled.
CookieHub is a Consent Management Platform (CMP) which allows users to control storage and processing of personal information.
Analytical cookies
Analytical cookies help us improve our website by collecting and reporting information on its usage.
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic.
Other cookies
The cookies in this category have not yet been categorized and the purpose may be unknown at this time.
Cookies used on the site are categorized and below you can read about each category and allow or deny some or all of them. When categories than have been previously allowed are disabled, all cookies assigned to that category will be removed from your browser. Additionally you can see a list of cookies assigned to each category and detailed information in the cookie declaration.
Necessary cookies
Some cookies are required to provide core functionality. The website won't function properly without these cookies and they are enabled by default and cannot be disabled.
| Name | Hostname | Vendor | Expiry |
|---|---|---|---|
| cookiehub | .markhughes.tech | CookieHub | 365 days |
Used by CookieHub to store information about whether visitors have given or declined the use of cookie categories used on the site. | |||
Analytical cookies
Analytical cookies help us improve our website by collecting and reporting information on its usage.
| Name | Hostname | Vendor | Expiry |
|---|---|---|---|
| google_auto_fc_cmp_setting | Google Advertising Products | Persistent | |
Used by Google AdSense to store the user's cookie consent state | |||
| _ga_ | .markhughes.tech | 400 days | |
Contains a unique identifier used by Google Analytics 4 to determine that two distinct hits belong to the same user across browsing sessions. | |||
| _ga | .markhughes.tech | 400 days | |
Contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions. | |||
Other cookies
The cookies in this category have not yet been categorized and the purpose may be unknown at this time.
| Name | Hostname | Vendor | Expiry |
|---|---|---|---|
| @firebase/performance/configexpire | Persistent | ||
| @firebase/performance/config | Persistent |