How to validate the expiry of Kubernetes certificate?
Issue Description:
When running a kubectl command, the following error is thrown:
This error indicates that the Kubernetes certificates have expired. There are a few ways to renew these certificates. Note the two methods explained below.
Resolution:
Approach #1
This solution applies to versions that contain kubeadm, such as 21.10.3 and below. Follow these steps to renew the certificates:
Check the expiration date of the certificates with the following command:
- kubeadm alpha certs check-expiration
If all the certificates are expired, execute the following commands to renew them:
- $ cd /etc/kubernetes/pki/
- $ mv {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} ~/
- $ kubeadm init phase certs all --apiserver-advertise-address
- $ cd /etc/kubernetes/
- $ mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} ~/
- $ kubeadm init phase kubeconfig all
- $ systemctl restart docker && systemctl restart kubelet
- $ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
Approach #2
If the version is newer, such as 22.4.1, kubeadm is not installed, and renewing the certificates is much easier. Simply restart rke2-server with the following command:
- systemctl restart rke2-server
This command will renew all the Kubernetes certificates.
After any of the solutions on attempting to run any kubectl command, It should work.