K
Q

How to update k8s certificates safely and completely?

9/15/2018

How to update k8s certificate:

Some certificates in the k8s cluster are currently expired, prompting:

Unable to connect to the server: x509: certificate has expired or is not yet valid. Take a look at the online cluster master.

The ca.crt and front-proxy-ca.crt are not expired, but the front-proxy-client.crt, apiserver-kubelet-client.crt, and apiserver.crt are expired.

So manually passing the existing ca.key generates the apiserver.crt on the masterRefer to here. However, new errors occurred, suggesting:

the server has asked for the client to provide credentials

What is the way to update the certificate of k8s cluster?

thanks!

-- zhaoyi
certificate
kubernetes

Similar Questions

Ingress and Ingress controller how to use them with NodePort Services?
Wrong IP from GCP kubernetes load balancer to app engine's service
Is pre disk addition is a must before deploying OpenEBS?
Nginx ingress controller how to fix SSL_do_handshake tls_process_client_hello:version too low) while SSL handshaking

1 Answer

9/15/2018

The latest kubeadm should have support for this.

Expected commands:

renew all
renew apiserver
renew apiserver-kubelet-client
renew apiserver-etcd-client
renew front-proxy-client
renew etcd-server
renew etcd-peer
renew etcd-healthcheck-client

You generally have to review all the certs above, you can also renew them manually using openssl or cfssl and using the CA in /etc/kubernetes/pki/ca.pem

-- Rico
Source: StackOverflow