K
Q

Refresing expired certificates on k8s

4/16/2018

I ran into issue with expired certificates on k8s cluster. I am running version 1.6.1 for over a year now, meaning that my certificates expired and I have to renew them. In newer versions this is already done automatically, but I currently can not upgrade my cluster to higher version, so I have to create certificates manually.

I came across following link, where it is described step-by-step, but I am actually already stuck on creating openssl.cnf file, as I am missing parameters. At the same time, this option is using .pem key, while on cluster currently .crt and .key pairs are used.

Any suggestion how to move forward with this? I have also tried running kubeadm alpha phase certs selfsign command, which created new certificates, yet I am still running into issue that api-server is refusing TSL handshake.

http: TLS handshake error from IP:port: remote error: tls: bad certificate

Thank you and best regards,

Bostjan

-- Bostjan
certificate
kubernetes
ssl

Similar Questions

Creating Persistent Volume Results in storageclass.storage.k8s.io "fast" not found
How do I update the args for a Kubernetes deployment
What are the GOOS and GOARCH values to build go executable file on GCP Container-Optimized OS
Is it possible to set hostname to Pod when using hostNetwork in kubernetes?

1 Answer

4/16/2018

There is a detailed guide on how to generate certificates.

While you are following that guide look out for a few gotchas:

  • Make sure your CA certificate is valid for the period you are trying to extend the other certificates to. The validity of any certificates signed by the CA certificate are also limited by the expiration date of the CA certificate.
  • If the validity period of the CA certificate itself is too short you are in a pickle. Replacing that certificate will require modifying all kubeconfigs (operators, cluster components).
  • For the same reason as above, make very sure you don't overwrite the CA key/certificate accidentaly.
  • When replacing the certificate for the apiserver you will need to restart the apiserver. The apiserver does not reread the certificate automatically.
-- Janos Lenart
Source: StackOverflow