Expired certificate on your Kubernetes environment

Posted on by

Normally a Kubernetes environment is well maintained and regularly updated with the most recent versions of Kubernetes. However, with a Kubernetes environment that is just used as an HCL Connections Component pack installation, this might not be on your radar and it’s easy to let it just run unattended. If you do that for too long though, like longer than one year, you’ll get into trouble, which looks like this error message:

[authentication.go:64] Unable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid]

By default the internal Kubernetes certificates are valid for one year only. They will be renewed on upgrading your Kubernetes environment. But if you forget to do that, your certificate will expire and you will no longer be able to manage your environment.

Luckily, since version 1.15 Kubernetes has some functions to help you.

kubeadm alpha certs check-expiration

Will show you what the expiration date is of your Kubernetes certificates. This will look something like:

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 06, 2022 16:06 UTC   364d                                    no
apiserver                  Dec 06, 2022 16:06 UTC   364d            ca                      no
apiserver-etcd-client      Dec 06, 2022 16:06 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Dec 06, 2022 16:06 UTC   364d            ca                      no
controller-manager.conf    Dec 06, 2022 16:06 UTC   364d                                    no
etcd-healthcheck-client    Dec 06, 2022 16:06 UTC   364d            etcd-ca                 no
etcd-peer                  Dec 06, 2022 16:06 UTC   364d            etcd-ca                 no
etcd-server                Dec 06, 2022 16:06 UTC   364d            etcd-ca                 no
front-proxy-client         Dec 06, 2022 16:06 UTC   364d            front-proxy-ca          no
scheduler.conf             Dec 06, 2022 16:06 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 10, 2030 12:07 UTC   8y              no
etcd-ca                 Nov 10, 2030 12:07 UTC   8y              no
front-proxy-ca          Nov 10, 2030 12:07 UTC   8y              no

If your certificates have expired, your residual time will of course be zero. To renew your certificates, you can use:

kubeadm alpha certs renew all

This will renew all certificates of your kubernetes environment, including the admin config file (/etc/kubernetes/admin.conf). This latter file, you need to copy to ~/.kube/config on all nodes to be able to use kubectl commands from that node. After renewing the certificates, you will need to reboot your master and workers.

As said, this is not the preferred way to do this. The preferred way is to regularly upgrade your Kubernetes environment, so you will never have expiring certificates for your environment.

Resources:

kubeadm alpha Commands

Upgrading kubeadm clusters