{
  "id": "kubernetes/certificate-expired",
  "signature": "x509: certificate has expired or is not yet valid: current time 2024-05-15T10:30:00Z is after 2024-04-01T00:00:00Z",
  "signature_zh": "x509：证书已过期或尚未生效：当前时间 2024-05-15T10:30:00Z 晚于 2024-04-01T00:00:00Z",
  "regex": "x509: certificate has expired or is not yet valid: current time \\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}Z is after \\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}Z",
  "domain": "kubernetes",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The TLS certificate used by the API server, kubelet, or ingress has expired, causing authentication failures for clients.",
  "root_cause_type": "generic",
  "root_cause_zh": "API 服务器、kubelet 或入口使用的 TLS 证书已过期，导致客户端身份验证失败。",
  "versions": [],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Restart all pods to refresh certificates",
      "why_fails": "Pods don't manage cluster certificates; the issue is at the control plane or node level, not pod-level.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "Set the system clock back to a valid time",
      "why_fails": "Temporary fix that breaks other services; certificates remain expired and will fail again.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.",
      "success_rate": 0.9,
      "how": "Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates.",
      "success_rate": 0.85,
      "how": "Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.",
    "Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.9,
  "fix_success_rate": 0.88,
  "resolvable": "true",
  "first_seen": "2024-04-01",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}