kubernetes证书过期


[root@k8s-master ~]# kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid

查看证书的生效日期(发现已经过期)

[root@k8s-master1 ~]# echo | openssl s_client -showcerts -servername gnupg.org -connect localhost:6443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6728265650595807888 (0x5d5f99f61a39c290)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: Jun 14 01:10:20 2022 GMT
            Not After : Jun 14 06:55:56 2023 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b6:d7:40:53:d3:8d:b4:d3:50:96:86:eb:bd:7e:
                    87:46:0a:f0:73:92:91:52:b7:02:d8:f5:63:6e:ad:
                    ad:73:b8:16:75:f2:7c:96:86:b1:7f:c0:2b:78:d9:
                    81:b7:83:4f:64:ef:03:5e:df:62:ee:30:6d:09:0b:
                    fc:49:3f:8c:da:fe:d6:33:50:02:09:e1:65:1b:f1:
                    1f:99:2d:ea:ca:49:e0:07:76:87:93:df:8e:69:b7:
                    a5:62:55:2b:5f:bd:59:16:a8:bc:d2:b0:58:d7:f3:
                    7c:8a:2f:36:7b:0e:8e:6c:7b:7f:4c:be:28:61:c4:
                    3f:95:89:3b:1f:e6:63:ae:b3:c9:b6:ff:06:28:ec:
                    0b:89:fb:1d:80:35:ca:00:7b:fd:14:df:48:fb:06:
                    0d:1e:0f:f1:f4:a5:a7:7e:6d:a3:03:79:42:9f:c0:
                    86:c4:da:eb:36:6b:e8:c3:17:d7:b6:2d:4f:68:30:
                    c1:f3:fc:ed:c4:43:80:6e:9c:48:93:e7:82:53:71:
                    70:56:5b:79:3c:c1:84:1f:c9:86:39:c1:96:08:b5:
                    65:1d:06:15:60:0e:ad:f6:54:92:5f:70:96:36:f2:
                    a1:65:3c:5c:a1:6c:f8:27:bc:3f:09:c9:d3:d8:6a:
                    9b:6e:e5:f9:b5:c6:b6:1c:e9:37:9a:20:69:b3:a2:
                    a2:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:67:EF:FB:66:0A:1B:7E:C0:5E:EE:E8:CA:A9:95:A5:57:44:E1:87:6E

            X509v3 Subject Alternative Name: 
                DNS:k8s-etcd, DNS:k8s-etcd2, DNS:k8s-etcd3, DNS:k8s-etcd4, DNS:k8s-lb1, DNS:k8s-lb2, DNS:k8s-master1, DNS:k8s-master2, DNS:k8s-master3, DNS:k8s-node1, DNS:k8s-node3, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.101.17, IP Address:192.168.101.29, IP Address:192.168.101.18, IP Address:192.168.101.4, IP Address:192.168.101.5, IP Address:192.168.101.8, IP Address:192.168.101.13, IP Address:192.168.101.15, IP Address:192.168.101.19, IP Address:192.168.101.2, IP Address:192.168.101.25, IP Address:192.168.101.21, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         39:9f:54:7d:4e:ee:25:83:2a:4c:e8:71:9d:a7:ed:42:ff:21:
         c0:69:7e:ef:f2:7d:b9:c9:5f:65:07:2e:e4:02:d3:b1:f6:cb:
         61:e7:6f:21:0d:99:9f:a1:37:51:a2:1d:77:27:2b:ed:d6:2c:
         f2:b0:2f:c5:93:e5:0e:bf:0c:d7:2b:fd:1c:bd:a7:8a:aa:67:
         9c:56:2f:ea:3e:7b:80:f0:50:69:8f:af:66:03:f2:b6:22:f8:
         5f:f6:32:42:15:78:74:04:1a:54:b1:41:44:72:a0:ae:ae:40:
         c1:cc:db:26:75:b4:6b:e9:2f:d5:ae:1b:15:b8:0d:c4:3e:29:
         59:bc:8d:5e:f7:a5:97:2c:fe:81:89:6d:03:9f:42:5e:66:84:
         6b:ab:48:fa:c9:9c:e4:b8:f6:23:90:3e:7c:10:e3:58:b3:90:
         d3:54:d2:bf:25:f8:86:df:c6:34:e2:e0:30:4f:db:e9:c0:57:
         46:c7:63:77:51:dc:3b:e8:c9:cc:d1:8d:a5:c5:57:f9:ee:6f:
         eb:ad:96:41:c4:84:5b:ae:1c:44:1d:21:2c:a1:0a:25:49:67:
         fb:17:7a:c8:62:5e:c5:55:85:f4:06:43:dd:62:40:01:b1:82:
         19:2c:01:0b:1a:0a:eb:16:80:98:0d:ca:ea:a2:99:91:42:d7:
         77:48:9f:d2

重新申请证书

[root@k8s-master1 ~]#  kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看申请后证书状态

[root@k8s-master1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 02, 2024 02:48 UTC   364d            ca                      no      
apiserver                  Jul 02, 2024 02:48 UTC   364d            ca                      no      
apiserver-etcd-client      Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jul 02, 2024 02:48 UTC   364d            ca                      no      
controller-manager.conf    Jul 02, 2024 02:48 UTC   364d            ca                      no      
etcd-healthcheck-client    Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
etcd-peer                  Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
etcd-server                Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
front-proxy-client         Jul 02, 2024 02:48 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jul 02, 2024 02:48 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 11, 2032 01:10 UTC   8y              no      
etcd-ca                 Jun 11, 2032 01:10 UTC   8y              no      
front-proxy-ca          Jun 11, 2032 01:10 UTC   8y              no      

复制证书到账号目录

root@k8s-master1 ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp: overwrite '/root/.kube/config'? y
[root@k8s-master1 ~]# 
[root@k8s-master1 ~]# kubectl get nodes
NAME          STATUS   ROLES           AGE    VERSION
k8s-master1   Ready    control-plane   384d   v1.24.1
k8s-master2   Ready    control-plane   384d   v1.24.1
k8s-master3   Ready    control-plane   383d   v1.24.1
k8s-node1     Ready    <none>          384d   v1.24.1
k8s-node3     Ready    <none>          384d   v1.24.1
k8s-node4     Ready    <none>          383d   v1.24.1
k8s-node6     Ready    <none>          335d   v1.24.3
node2         Ready    <none>          335d   v1.24.3

所有master节点重复重新申请证书操作 覆盖即可


Author: 千里
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source 千里 !
  TOC