x509: certificate has expired or is not yet valid

[michzimny]

The test up2u instance has k8s 1.8 installed with InitNode.sh. Now, any requests to k8s api end up with x509: certificate has expired or is not yet valid. This can be seen when manually trying to call kubectl but also in worker nodes' logs when they try to talk to the master node's API.

Nothing can be done in k8s.

For instance:

# kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:27:35Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate has expired or is not yet valid

How to renew the cluster certificates?

I've been looking around a bit, but it seems this process is properly automated in later releases of k8s.

BTW, how to check when it will happen to the production instance?

[michzimny]

Hi, the same just occurred in production. We cannot talk to Kubernetes.

Do you know a solution for renewing those API (I guess...) certs? @diocas @ebocchi

[ebocchi]

Hi, I have never seen this before unfortunately.
I found this which seems to be exactly your problem. The solution looks a bit cumbersome to me but I would it a try to the test cluster first.

[michzimny]

May I ask if you could help us on this issue, I mean trying to apply the solution?

I suppose this happens a year since the creation of the k8s cluster using your script (the cert expiration date is 1y?). Around a year ago, we made a big upgrade of that installation at PSNC, and also a from-scratch installation of the cluster perhaps, so this might be why we haven't experienced that before.

[michzimny]

It's no more relevant.