kubernetes auth_error ai_generated true

x509: certificate has expired or is not yet valid: current time 2024-05-15T10:30:00Z is after 2024-04-01T00:00:00Z

ID: kubernetes/certificate-expired

Also available as: JSON · Markdown · 中文

88%Fix Rate

90%Confidence

1Evidence

2024-04-01First Seen

Root Cause

The TLS certificate used by the API server, kubelet, or ingress has expired, causing authentication failures for clients.

generic

中文

API 服务器、kubelet 或入口使用的 TLS 证书已过期，导致客户端身份验证失败。

Official Documentation

https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

Workarounds

90% success Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.
```
Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.
```
85% success Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates.
```
Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates.
```

中文步骤

Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.

Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates.

Dead Ends

Common approaches that don't work:

Restart all pods to refresh certificates 90% fail
Pods don't manage cluster certificates; the issue is at the control plane or node level, not pod-level.
Set the system clock back to a valid time 95% fail
Temporary fix that breaks other services; certificates remain expired and will fail again.