k8s问题记录 - 证书过期(Unable to connect to the server: x509: certificate has expired or is not yet valid)

检查证书

 kubeadm certs check-expiration
[root@master1 kubernetes]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0518 11:04:54.843129   61229 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 May 15, 2024 06:00 UTC   363d            ca                      no      
apiserver                  May 17, 2024 02:48 UTC   364d            ca                      no      
apiserver-kubelet-client   May 15, 2024 06:00 UTC   363d            ca                      no      
controller-manager.conf    May 15, 2024 06:00 UTC   363d            ca                      no      
front-proxy-client         May 15, 2024 06:00 UTC   363d            front-proxy-ca          no      
scheduler.conf             May 15, 2024 06:00 UTC   363d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      May 13, 2033 06:00 UTC   9y              no      
front-proxy-ca          May 13, 2033 06:00 UTC   9y              no      

手动更新所有证书

kubeadm alpha certs renew all

更新用户配置

kubeadm alpha kubeconfig user --client-name=admin
kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin  > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf

用更新后的admin.conf替换/root/.kube/config文件

cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master1 ~]# kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid
[root@master1 ~]# cd /etc/kubernetes/pki
[root@master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not '
            Not Before: Aug  7 13:30:11 2021 GMT
            Not After : Aug  7 13:30:11 2022 GMT
[root@master1 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

W0220 23:39:44.971317   11117 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 07, 2022 13:30 UTC   <invalid>                               no
apiserver                  Aug 07, 2022 13:30 UTC   <invalid>       ca                      no
apiserver-etcd-client      Aug 07, 2022 13:30 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Aug 07, 2022 13:30 UTC   <invalid>       ca                      no
controller-manager.conf    Aug 07, 2022 13:30 UTC   <invalid>                               no
etcd-healthcheck-client    Aug 07, 2022 13:30 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Aug 07, 2022 13:30 UTC   <invalid>       etcd-ca                 no
etcd-server                Aug 07, 2022 13:30 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Aug 07, 2022 13:30 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Aug 07, 2022 13:30 UTC   <invalid>                               no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 05, 2031 13:30 UTC   8y              no
etcd-ca                 Aug 05, 2031 13:30 UTC   8y              no
front-proxy-ca          Aug 05, 2031 13:30 UTC   8y              no
[root@master1 pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

W0220 23:41:15.686121   11419 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@master1 pki]# ll
总用量 56
-rw-r--r-- 1 root root 1220 2月  20 23:41 apiserver.crt
-rw-r--r-- 1 root root 1090 2月  20 23:41 apiserver-etcd-client.crt
-rw------- 1 root root 1675 2月  20 23:41 apiserver-etcd-client.key
-rw------- 1 root root 1679 2月  20 23:41 apiserver.key
-rw-r--r-- 1 root root 1099 2月  20 23:41 apiserver-kubelet-client.crt
-rw------- 1 root root 1675 2月  20 23:41 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1025 8月   7 2021 ca.crt
-rw------- 1 root root 1679 8月   7 2021 ca.key
drwxr-xr-x 2 root root  162 8月   7 2021 etcd
-rw-r--r-- 1 root root 1038 8月   7 2021 front-proxy-ca.crt
-rw------- 1 root root 1675 8月   7 2021 front-proxy-ca.key
-rw-r--r-- 1 root root 1058 2月  20 23:41 front-proxy-client.crt
-rw------- 1 root root 1679 2月  20 23:41 front-proxy-client.key
-rw------- 1 root root 1679 8月   7 2021 sa.key
-rw------- 1 root root  451 8月   7 2021 sa.pub
[root@master1 pki]# openssl x509 -in apiserver.crt -noout -text |grep ' Not '
            Not Before: Aug  7 13:30:11 2021 GMT
            Not After : Feb 20 15:41:16 2024 GMT
[root@master1 pki]# cd /etc/kubernetes
[root@master1 kubernetes]# kubeadm alpha kubeconfig user --client-name=admin
I0220 23:44:51.209752   12126 version.go:252] remote version is much newer: v1.26.1; falling back to: stable-1.18
W0220 23:44:52.663332   12126 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EZ3dOekV6TXpBeE1Wb1hEVE14TURnd05URXpNekF4TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmo4CkgrZW5lSEdWek9KTUJyK3dhQkxoOVhtTXVqSFpXcmVWT0ZxT0EvMENPdnllSEJ4dkJqNGM4SjRNeEJQd0R1NmQKMmEydXdKbHZpUm1ndWJIMllyT3VvY1hMem5jUUV4S2tzeG5KdzhocHVpMVAxK2tYd2hpaWFlRjhib25iTnFMWgovZ0RVQnB6aUI4ZkxGSE1lTXBmS3lYc0pWMjcxNG4xUnhVb1VobFlJaHpaNWZ2TlFYZUVXRkZxM1k2Rm5IUEFBClVoNUxhakNzc21NSVpuL0E4UUU5QlpqYTFXeEhlcHNGeEJoUTRiUFhnWXRWa0UwbEF0MzFnNVV4blhHSEU3OCsKazFNc3lvK0dOdVJRS2JUZHRkQ0Q2UzFwOWhnQ0JFSmdSeTFWOFV6ZkhabXZFVCttMk9WME9EY2w0SkxHWng4RApwbVZMa2J0bldhQ1lYOElxcVRjQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHdnB5cjNTQzRCRy9wTDA3b0pNMFFKWTkrZHIKWHhkYkROWS9oQmRzRXpiZWRkQnptZ0hnekF1eUN1UDE1SmZRSVA3YmxUZjdMTGF5Qk9EOHRPQ3dXdGhvM1VZNgpMSjN3TnRzTmE2MEFlaDd6aVVFaEVWdWJLekJFOEZLTUNMeitOZzk2YSsxRUhjeWZjU2YybTVaeFFUNWxaRk90CllpMjUzdFQzckpVMFdWcmtCeE1KOXY5YkxlMkpKWFVtLzdzSWJCWmVpdExXTEhNdkhYMDZMUWkwbHhxWGVhU3YKY0tLaEJCeGN1Q3poRk4wKzFxODVFcVJkS2JvTVQ1K1hRV0s1TGVORHd2K1luQ1k5Z0FHS0NCM2JwZ3JaTXdEdgozTFJTMC9ZeC8yWFdOZDZUNklYSlk5SWhYTitrK3ozYzhpbVFzTWtHWVVwWDVFbnNtQk5CUUplaGkwTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.10.101:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: admin
  name: admin@kubernetes
current-context: admin@kubernetes
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN6akNDQWJhZ0F3SUJBZ0lJWTJnV2ZpTEpBbmN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBNE1EY3hNek13TVRGYUZ3MHlOREF5TWpBeE5UUTBOVE5hTUJBeApEakFNQmdOVkJBTVRCV0ZrYldsdU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnM3enpDb2oyZndGUEJQeVFtZHVoYjJ6Z1M5VktUdjhyVDM0eDhGYmhjREQ4cDJKUjdKWUhaSXU4Z0MrS09xa2EKcXRLTUZlUnRoN3UrQnFTUWdqQVBrdm5lREJ3Z2lyWnQ0Vnp5WFpZWUdHS3dQMVNpVnB1KzBERUpQMVNhYzhIVApWdDk0eHhjc09zTC95alYyZjRIY1R1NlpjNDB6Q1VETm1hR3ZpNzYxV0hUdEpzOE1iN01QVU9lNkdqN2dXR0xVCjRpcVlPbm1Pa2IzeUJuVUxIbjZKZVV2RVVJZERMMFZsOVYxc0RQLys0dmc3U0lKMEtjNE5MT01YQWprMzVUTVIKYmhVeW04SzdDK1p1cnNUUjlpbnNTejMzT1B6YVVnYzFSSGl3SFpFc3V1UWQweGh3clR0OW9sdFgveXNrYUplMwpkVW1jeTN3a0RUU2N5b2o3MmdndFRRSURBUUFCb3ljd0pUQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0V3WURWUjBsCkJBd3dDZ1lJS3dZQkJRVUhBd0l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNiMUtwbHBxT2w4VHhzaUVwZHMKaEFxWms1TTlRV1hiZUxvWGkxMm1kNVQ1ZVRxR2FYa1ltYWVHM3k5WFN4UGhUSy9WdUx1NlNtUmc1THJPbThsYgpIL3AyOGw0bDA4SzRWTjAxTWI4TlM2OXlWcXN0KzIrakgzZEpuSkYxSlEwNlBMQjdpdjVVQXJGRVlmdGlhVFJtCnJxVFpoNndyUVBMd1dnWEQya3NzaXVreEdGTitOS3pqMGRtOTloZUtsdzhzdjVhWXVJNlpCR1NCYkY1cmJ3MW8KeU01R3laMDJPVWVzSEFXSUxHN2NGZnRMb1Y1R1NRMUt4YTV3VCtBa0RJbVAzOFFwSDhGdG45dEJ2TWFyb3RyNgozSTFhaFd4a3o0UGhuaTJVMGIvM2plTWJENnlIaVIwVmkyRFEzbnRCN2ovM2hHdUYycnJYaG45dXdoOWJ3QTFNCnhOcz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBczd6ekNvajJmd0ZQQlB5UW1kdWhiMnpnUzlWS1R2OHJUMzR4OEZiaGNERDhwMkpSCjdKWUhaSXU4Z0MrS09xa2FxdEtNRmVSdGg3dStCcVNRZ2pBUGt2bmVEQndnaXJadDRWenlYWllZR0dLd1AxU2kKVnB1KzBERUpQMVNhYzhIVFZ0OTR4eGNzT3NML3lqVjJmNEhjVHU2WmM0MHpDVURObWFHdmk3NjFXSFR0SnM4TQpiN01QVU9lNkdqN2dXR0xVNGlxWU9ubU9rYjN5Qm5VTEhuNkplVXZFVUlkREwwVmw5VjFzRFAvKzR2ZzdTSUowCktjNE5MT01YQWprMzVUTVJiaFV5bThLN0MrWnVyc1RSOWluc1N6MzNPUHphVWdjMVJIaXdIWkVzdXVRZDB4aHcKclR0OW9sdFgveXNrYUplM2RVbWN5M3drRFRTY3lvajcyZ2d0VFFJREFRQUJBb0lCQVFDVDJidzdVRXNrVWxsRQpDdGFRR2NFRVBaV01DOW5pZmJpTTNZd0szZ3o0RXZQaVpOaHJPMGE5aU16NHpTSngrcVQ3RzlNc053bDZmQTltCnUzdzcrM2owT0NKVjU5VkZCYWdCbUVtdWZrYzMyQWFQTWZtUU1QR1hwSjZzdjlXRm4wMVB5dWc1TFhDdXJiVm8KQ3U1OUdMKzNGa0tZY1BBb2ptd1NFcFNxNmFlWEtNYjFKTDlKL1BlQTQzdlZnQXVlbm5aRFdGWG14OWVoZERxZAp0N21PdVMxRTNEWUZLaitZaTEvWGpQRVBteGRCSmFXWW16YStoN1czd0lUblJFbW1Ob0FlR3F2aFB2Q3RKb2hzCkEvK24vMWY3cEs2RG04cWgyYnFNNEhUdmR0K2hsVmVnMHV4Wi9oRjZMV3JPam41eFlaWU5PV05oY0pveG9LdTgKazZaRlFFckJBb0dCQU5rcUxidlVzRk1tbDJVYzZLRUVGUkNWbzlRWTVhT2pnK05WQ1cxWEF4V2Y0Q2xtb2Y3UAo1REl6aXNEYVJjUXZ1bmQ1RWdXKzl3MlcvVzcweWNOOWY4a1pJTnJiTDd6cFJYS24zM01ocFdBVytrL1RjT3lECjZXek9oaFRhY1ppblNhQnhKKzJCOTZCVEFnRFluRUtJT25lQTE3VytjVmNVWWVhL1l2V0NjTHRKQW9HQkFOUGgKWDg5VEd2Y1BEVVNlL2I4Q0RCUkcxYTdRVzZkWGNFdlQxa1pKc2tWalpsUjNMNCtZMVhUNGc2T0RJWWNIWnZPQgpMWEM4WkI0a0ZJZzFnaVFjeU9wMUl4a2VMUUJnVHVIYjkxVFd5R3BoS2hZZGJDMmpaVTR1RTZZRjVTVlJHQXhIClA5dFk0UEZxSXZ1UEJib1h3SjkwdWs2aVdYZjRUbDU5elpBVHpuM2xBb0dCQUw4ZmZleUhQVCtSQVVEOTlrWnYKWDFLZlAvWVVpMVkvUEgzQWczRjFXTU9aVnlGWXNFMmdEVWVaVVE1MWkxMGtYRWwxaGtVRVVrM2xpdG95R2JneApKVnVJLy85ZFZHQkFOTnk1bmRDbjFmSUJodjdtS2NZZU9qdUdiejYvR2FhdDVBQ09WZ09UbEtuSEpFWTJYUis0CjRTdjNldUQ2NEtrd3lSRFpjM0I3QWxmeEFvR0FKNkJ5QzlOdUtxQzlDWVYyelo5elpPTnVtWGhNZS9xbGZQa00KalM3QlVhcnFlNGVpOUlkUC9NVngwVVg0SWtubkhrbWRsd1VVOEhJdENPQ0JDNEg2cmFia3ZwRGZONy9MWVFDRAp2SEZESUdvMXRkY2c0VlE2NFNsSzhYVU95ekRrZjM5ZjJRVkJaTVZGNzZockdNZlNkY0FlREJEZkRNbjYxajlQCkQ5QTBnV1VDZ1lCVGdicGFmVkpwWVA5UVU2YjdzV0Jpc3A1UDJZOHBJOGlNWW53ZUI4eGcvT2dlU0lEWk4yNUgKS2hKUW5IU0tMdFBWWGtPVXgrbG9LWnpudTBxZjhpMUhnU3dIdGpiZjNib1FhNGdmcFJOWVZFQlYzTGJ1eldTdApKVU5UR0FBRE9OV0lyMDN5RDZCMlNCMk9FUFpxYUNqUzVPZTZzV0RXalJvQ2Z0NmtGeU9nK2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

[root@master1 kubernetes]# kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin  > /etc/kubernetes/admin.conf
I0220 23:44:56.000673   12148 version.go:252] remote version is much newer: v1.26.1; falling back to: stable-1.18
W0220 23:44:57.284954   12148 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[root@master1 kubernetes]# kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
I0220 23:44:58.420659   12164 version.go:252] remote version is much newer: v1.26.1; falling back to: stable-1.18
W0220 23:44:59.647838   12164 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[root@master1 kubernetes]# kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
I0220 23:45:00.850679   12187 version.go:252] remote version is much newer: v1.26.1; falling back to: stable-1.18
W0220 23:45:02.317471   12187 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[root@master1 kubernetes]# kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
I0220 23:45:06.973889   12208 version.go:252] remote version is much newer: v1.26.1; falling back to: stable-1.18
W0220 23:45:07.855108   12208 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[root@master1 kubernetes]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp:是否覆盖"/root/.kube/config"? y
[root@master1 kubernetes]# kubectl get nodes
NAME      STATUS   ROLES    AGE    VERSION
master1   Ready    master   562d   v1.18.0
master2   Ready    <none>   562d   v1.18.0
master3   Ready    <none>   562d   v1.18.0
[root@master1 kubernetes]# systemctl restart kube-apiserver
Failed to restart kube-apiserver.service: Unit not found.
[root@master1 kubernetes]# systemctl restart kube-apiserver
Failed to restart kube-apiserver.service: Unit not found.
[root@master1 kubernetes]# kubectl -n david-test get po -o wide
No resources found in david-test namespace.
[root@master1 kubernetes]# kubectl get pod -o wide
NAME                    READY   STATUS    RESTARTS   AGE    IP           NODE        NOMINATED NODE   READINESS GATES
nginx-f89759699-qnfxv   1/1     Running   0          562d   10.244.2.3   hadoop103   <none>           <none>
[root@master1 kubernetes]# kubectl get modes
error: the server doesn't have a resource type "modes"
[root@master1 kubernetes]# kubectl get nodes
NAME        STATUS   ROLES    AGE    VERSION
master1   Ready    master   562d   v1.18.0
hadoop102   Ready    <none>   562d   v1.18.0
hadoop103   Ready    <none>   562d   v1.18.0
[root@master1 kubernetes]# kubectl get po -o wide
NAME                    READY   STATUS    RESTARTS   AGE    IP           NODE        NOMINATED NODE   READINESS GATES
nginx-f89759699-qnfxv   1/1     Running   0          562d   10.244.2.3   hadoop103   <none>           <none>
[root@master1 kubernetes]#

参考文档
k8s解决证书过期官方文档

posted @ 2023-05-18 11:20  嘸杺  阅读(236)  评论(0编辑  收藏  举报