# http: TLS handshake error from 10.0.0.1:54321: remote error: tls: bad certificate - **ID:** `kubernetes/kubelet-http-healthz-failure` - **Domain:** kubernetes - **Category:** network_error - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Kubelet's TLS certificate for healthz endpoint is expired or mismatched, causing API server to reject connection. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | kubelet v1.28 | active | — | — | | kubelet v1.29 | active | — | — | | kubelet v1.30 | active | — | — | ## Workarounds 1. **Manually renew kubelet server certificate by running: `kubeadm init phase certs kubelet-server` and then restart kubelet.** (85% success) ``` Manually renew kubelet server certificate by running: `kubeadm init phase certs kubelet-server` and then restart kubelet. ``` 2. **Check certificate expiry: `openssl x509 -in /var/lib/kubelet/pki/kubelet-server-current.pem -text -noout | grep -A2 Validity`. If expired, delete old cert and let kubelet auto-renew via CSR.** (90% success) ``` Check certificate expiry: `openssl x509 -in /var/lib/kubelet/pki/kubelet-server-current.pem -text -noout | grep -A2 Validity`. If expired, delete old cert and let kubelet auto-renew via CSR. ``` 3. **Update kubelet configuration to use a valid certificate from a trusted CA by setting `--tls-cert-file` and `--tls-private-key-file` in /var/lib/kubelet/config.yaml.** (80% success) ``` Update kubelet configuration to use a valid certificate from a trusted CA by setting `--tls-cert-file` and `--tls-private-key-file` in /var/lib/kubelet/config.yaml. ``` ## Dead Ends - **Restart kubelet service without checking certificate renewal** — Restarting does not regenerate expired certificates; they must be explicitly renewed or rotated. (90% fail) - **Disable TLS verification in kubelet config (--tls-cert-file=none)** — Disabling TLS breaks secure communication and is not supported in production. (95% fail) - **Reinstall kubelet binary from scratch** — Reinstallation does not fix certificate expiration; the certs are stored separately. (85% fail)