K8S 证书过期，报错：Unable to connect to the server: x509: certificate has expired or is not yet valid 解决方法

1、查看证书有效期

kubeadm certs check-expiration

# 看到 invalid 全是过期的
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Sep 14, 2022 14:01 UTC   <invalid>                               no      
apiserver                  Sep 14, 2022 14:01 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Sep 14, 2022 14:01 UTC   <invalid>       ca                      no      
controller-manager.conf    Sep 14, 2022 14:01 UTC   <invalid>                               no      
etcd-healthcheck-client    Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
etcd-server                Sep 14, 2022 14:01 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Sep 14, 2022 14:01 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Sep 14, 2022 14:01 UTC   <invalid>                               no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 12, 2031 14:01 UTC   8y              no      
etcd-ca                 Sep 12, 2031 14:01 UTC   8y              no      
front-proxy-ca          Sep 12, 2031 14:01 UTC   8y              no


# 或者用 openssl 方法，查看也是过期的
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
            Not Before: Sep 14 14:01:12 2021 GMT
            Not After : Sep 14 14:01:12 2022 GMT

2、证书备份

1	`cp -rp /etc/kubernetes /etc/kubernetes.bak`

3、重新生成证书，使用该命令不用提前删除过期证书

1	`kubeadm certs renew all`

4、再查看证书有效期

# 显示已经到2023年
x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
            Not Before: Sep 14 14:01:12 2021 GMT
            Not After : Sep 15 01:53:20 2023 GMT

5、更新用户证书凭证

1	`cp /etc/kubernetes/admin.conf ~/.kube/config`

6、重启 kubelet

1	`systemctl restart kubelet`

7、重启apiserver，scheduler，controller-manager 容器

docker ps | grep apiserver
docker ps | grep scheduler
docker ps | grep controller-manager

docker restart containerID

8、检测状态，成功

systemctl status kubelet


# 成功
● kubelet.service - kubelet: The Kubernetes Node Agent
   Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/kubelet.service.d
           └─10-kubeadm.conf
   Active: active (running) since Thu 2022-09-15 09:56:24 CST; 2min 6s ago
     Docs: https://kubernetes.io/docs/
 Main PID: 10193 (kubelet)
    Tasks: 15
   Memory: 42.5M
   CGroup: /system.slice/kubelet.service
           └─10193 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=registry.aliyu...

运维

#命令 #K8S

K8S 证书过期，报错：Unable to connect to the server: x509: certificate has expired or is not yet valid 解决方法

https://johnnysxy.github.io/2023/05/18/K8S-证书过期，报错：Unable-to-connect-to-the-server-x509-certificate-has-expired-or-is-not-yet-valid-解决方法/

作者

Johnny Song

发布于

2023年5月18日

许可协议

FileBeat-Log配置详解上一篇

Zabbix配置钉钉告警下一篇