# x509: certificate has expired or is not yet valid: current time 2024-05-15T10:30:00Z is after 2024-04-01T00:00:00Z

- **ID:** `kubernetes/certificate-expired`
- **Domain:** kubernetes
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

The TLS certificate used by the API server, kubelet, or ingress has expired, causing authentication failures for clients.

## Workarounds

1. **Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.** (90% success)
   ```
   Renew the API server certificate: On the control plane node, run 'sudo kubeadm certs renew apiserver' for kubeadm clusters, then restart kube-apiserver.
   ```
2. **Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates.** (85% success)
   ```
   Update the kubeconfig with a new token: 'kubectl config set-credentials cluster-admin --token=$(kubeadm token create)' after renewing certificates.
   ```

## Dead Ends

- **Restart all pods to refresh certificates** — Pods don't manage cluster certificates; the issue is at the control plane or node level, not pod-level. (90% fail)
- **Set the system clock back to a valid time** — Temporary fix that breaks other services; certificates remain expired and will fail again. (95% fail)