# http: TLS 握手来自 10.0.0.1:54321 错误：远程错误：tls：证书错误

- **ID:** `kubernetes/kubelet-http-healthz-failure`
- **领域:** kubernetes
- **类别:** network_error
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

kubelet 用于 healthz 端点的 TLS 证书过期或不匹配，导致 API 服务器拒绝连接。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| kubelet v1.28 | active | — | — |
| kubelet v1.29 | active | — | — |
| kubelet v1.30 | active | — | — |

## 解决方案

1. ```
   Manually renew kubelet server certificate by running: `kubeadm init phase certs kubelet-server` and then restart kubelet.
   ```
2. ```
   Check certificate expiry: `openssl x509 -in /var/lib/kubelet/pki/kubelet-server-current.pem -text -noout | grep -A2 Validity`. If expired, delete old cert and let kubelet auto-renew via CSR.
   ```
3. ```
   Update kubelet configuration to use a valid certificate from a trusted CA by setting `--tls-cert-file` and `--tls-private-key-file` in /var/lib/kubelet/config.yaml.
   ```

## 无效尝试

- **Restart kubelet service without checking certificate renewal** — Restarting does not regenerate expired certificates; they must be explicitly renewed or rotated. (90% 失败率)
- **Disable TLS verification in kubelet config (--tls-cert-file=none)** — Disabling TLS breaks secure communication and is not supported in production. (95% 失败率)
- **Reinstall kubelet binary from scratch** — Reinstallation does not fix certificate expiration; the certs are stored separately. (85% 失败率)