k8s集群添加master节点 certificate etcd/peer is invalid: x509: certificate is valid for xxx,localhost,not x

最新推荐文章于 2023-10-23 23:10:20 发布
最新推荐文章于 2023-10-23 23:10:20 发布
阅读量1.3k 收藏 1
点赞数
文章标签: kubernetes 运维
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hedao0515/article/details/130665761
版权

k8s集群初始化配置后添加第二个master节点提示

error execution phase control-plane-prepare/certs: error creating PKI assets: failed to write or validate certificate "etcd-peer": certificate etcd/peer is invalid: x509: certificate is valid for k8s-master01, localhost, not k8s-master02

[root@k8s-master02 pki]#   kubeadm join 192.168.66.199:16443 --token abcdef.0123456789abcdef     --discovery-token-ca-cert-hash sha256:e1ed0646db7a37d7c263e968aa9c0e9bf3e068ac7fe208ea64c6c066f40b2f13     --control-plane 
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[preflight] Running pre-flight checks before initializing the new control plane instance
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
error execution phase control-plane-prepare/certs: error creating PKI assets: failed to write or validate certificate "etcd-peer": certificate etcd/peer is invalid: x509: certificate is valid for k8s-master01, localhost, not k8s-master02
To see the stack trace of this error execute with --v=5 or higher

解决办法:

将初始化的节点上/etc/kubernetes相关证书文件和配置文件copy到第二台master节点上

[root@k8s-master01 pki]# scp /etc/kubernetes/pki/sa.* 192.168.66.201:/etc/kubernetes/pki/
[root@k8s-master01 pki]# scp /etc/kubernetes/pki/front-proxy-ca* 192.168.66.201:/etc/kubernetes/pki/
[root@k8s-master01 pki]# scp /etc/kubernetes/pki/ca.* 192.168.66.201:/etc/kubernetes/pki/
[root@k8s-master01 pki]# scp /etc/kubernetes/pki/etcd/ca.* 192.168.66.201:/etc/kubernetes/pki/etcd/
[root@k8s-master01 pki]# scp /etc/kubernetes/admin.conf 192.168.66.201:/etc/kubernetes/

重新执行添加操作正常

[root@k8s-master02 kubernetes]#   kubeadm join 192.168.66.199:16443 --token abcdef.0123456789abcdef     --discovery-token-ca-cert-hash sha256:e1ed0646db7a37d7c263e968aa9c0e9bf3e068ac7fe208ea64c6c066f40b2f13     --control-plane 
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[preflight] Running pre-flight checks before initializing the new control plane instance
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master02 localhost] and IPs [192.168.66.201 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master02 localhost] and IPs [192.168.66.201 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master02 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.66.201 192.168.66.199 192.168.66.200 192.168.66.201 192.168.66.199]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
[kubeconfig] Generating kubeconfig files
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
W0513 23:15:41.090932   86862 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
W0513 23:15:41.104078   86862 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[control-plane] Creating static Pod manifest for "kube-scheduler"
W0513 23:15:41.105195   86862 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[check-etcd] Checking that the etcd cluster is healthy
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
[etcd] Announced new etcd member joining to the existing etcd cluster
[etcd] Creating static Pod manifest for "etcd"
[etcd] Waiting for the new etcd member to join the cluster. This can take up to 40s
{"level":"warn","ts":"2023-05-13T23:15:57.114+0800","caller":"clientv3/retry_interceptor.go:61","msg":"retrying of unary invoker failed","target":"passthrough:///https://192.168.66.201:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = context deadline exceeded"}
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[mark-control-plane] Marking the node k8s-master02 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node k8s-master02 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]

This node has joined the cluster and a new control plane instance was created:

* Certificate signing request was sent to apiserver and approval was received.
* The Kubelet was informed of the new secure connection details.
* Control plane (master) label and taint were applied to the new node.
* The Kubernetes control plane instances scaled up.
* A new etcd member was added to the local/stacked etcd cluster.

To start administering your cluster from this node, you need to run the following as a regular user:

        mkdir -p $HOME/.kube
        sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
        sudo chown $(id -u):$(id -g) $HOME/.kube/config

Run 'kubectl get nodes' to see this node join the cluster.

[root@k8s-master02 kubernetes]#

好好学习之乘风破浪
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
k8s 二进制安装 etcd 3.5.1
03-21
Kubernetesk8s集群中,etcd是一个至关重要的组件,它是分布式键值存储系统,用于存储集群的状态和配置数据。etcd基于Google的Raft一致性算法,确保了数据在分布式环境中的强一致性。在本文中,我们将详细介绍...
rabbitmq-peer-discovery-k8s:RabbitMQ的基于Kubernetes的对等发现机制
02-04
而`rabbitmq-peer-discovery-k8s`插件则是将RabbitMQ集群Kubernetes(简称k8s)环境相结合的关键工具,它使得RabbitMQ节点能够自动发现彼此,从而简化了集群的管理和扩展。 **一、RabbitMQ集群基础** RabbitMQ...
kubernetes环境证书x509问题解决
认知 行动 坚持
02-19 1584
故障描述: 集群部署服务一直报x509错误,导致pod起不来 解决步骤: 1.首先先排查证书,检查所有的证书是否有问题 使用md5sum 比对证书的md5值看是否都一致。最后结果是证书都是一致的,都没问题。 2.查看集群的endpoints,使用kubectl get ep 命令,查出来集群有问题,我们一共是3个master,但是查出来2个。查出来的这2个还有问题,可能是之前同事把master换了别的主机以后没有修改ep。导致现在查出来ep的值多了一个.5的主机,少了61和63主机的ip。 3.修改ep的
主机加入集群报错 certificate etcd/peer is invalid: x509
xiliangMa的博客
11-04 2661
主机加入集群报错 certificate etcd/peer is invalid: x509 问题描述 搭建高可用集群,加入第二台备用 master 节点 报错, 从错误日志看关键错误日志是 is invalid: x509, 首先确保 node 或者备用 master 节点的相关证书存在。 [root@master2 k8s]# kubeadm join 192.168.1.110:644...
kubernetes增加新集群节点时报认证错误
weixin_43991475的博客
03-07 1508
k8s提示certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes") 原因1:这是之前建过集群了,删除集群后,在重新创建集群之前,原来集群的rm -rf $HOME/.kube文件没有删除,所以导致了认证失去作用。 主要是要对新加入集群
docker拉去镜像报错: x509: certificate is valid for *.api-test.cfadevelop.com, *.app-test.cfadevelop.com,
qq_36852840的博客
04-21 1482
大概率是因为docker的daemon.json中为配置国内镜像源的原因。在/etc/docker/daemon.json中新增国内镜像源。
Error response from daemon: Get “https://registry-1.docker.io/v2/“: tls: failed to verify certificat
骜蛟的博客
06-11 2402
在网上找了很多,都没找到类似的错误。一般都是连接时间超时,要换源。后来我想了想,在主机上没有验证校园网登录,网络ping不通。
Unable to connect to the server: x509: certificate is valid for问题解决
最新发布
doublepg13的博客
10-23 2772
我们的kubernetesapiserver-advertise-address是一个内网IP,默认情况下,kubernetes自建的CA会为apiserver签发一个证书,证书的默认可访问的是内网IP、kuberneteskubernetes.default kubernetes.default.svc、kubernetes.default.svc.cluster.local,不包含设备的外网IP。通过如下命令查看kubernetes的admin.conf中的证书的有效期,看是否有效。
k8s-etcd:用于 etcd-on-Kubernetes 的 Docker 容器
07-09
k8s-etcd 在 Ubuntu 14.04 容器中运行etcd ( etcd ) 的 Docker 容器,具有环境中的配置设置。 环境 这些环境变量的名称经过精心选择,以与 Kubernetes(主要是 GKE)为定义的服务提供的内容兼容。 ETCD_SERVER_ID ...
基于外部etcdK8S集群一键生成etcd应用相关证书
04-26
1、etcd集群相关证书CA 2、etcd对外提供服务,要有一套etcd server证书 3、etcd客户端证书 4、kube-apiserver访问Etcd,要有一套etcd client证书 证书文件如下所示: ├── ca-key.pem ├── ca.pem ├── api...
Fabric make peer-docker: bzip2 data invalid:bad magic value
01-08
make peer-docker-clean时发生bzip2 data invalid:bad magic value错误。 liu@liudeMacBook-Pro fabric % make peer-docker-clean docker images --quiet --filter=reference='hyperledger/fabric-peer:amd64-1.4.4-...
解决k8s集群 Unable to connect to the server: x509: certificate is valid for xxx, not xxx问题
weixin_39518516的博客
08-01 1208
为了能使本地能连接k8s集群更好的测试client-功能,在服务器上为本地签发了kubeconfig文件,放到本地之后出现如下的错误。从上面可以看出ip中并没有报错信息中的192.168.2.8这个IP地址,所以需要重新生成(截图为修改好的)。1、查看apiserver证书信息(master节点)为了保险起见,这里选择将证书移动到其他位置。3、生成新的apiserver证书。
访问k8s集群出现Unable to connect to the server: x509: certificate is valid for xxx, not xxx问题解决【详细步骤】
marlinlm的博客
12-27 9182
访问k8s集群出现Unable to connect to the server: x509: certificate is valid for xxx, not xxx问题解决
登录harbor时的SSL异常: x509: certificate is valid for ingress.local
JosephThatwho的博客
01-17 5334
背景 之前搭建了一套内网环境的harbor,绑定了一个harbor.test.com的域名。现在因为工作需要,给这个harbor服务绑定了一个公网域名,并且申请了SSL证书,在调整完docker-compose中harbor.yml以及docker-compose.yml文件内的证书后,可以通过浏览器访问,并且显示SSL握手成功。 但是通过docker命令行登录时,却抛出如下异常: Error response from daemon: Get "https://harbor.oulaoula.com/v2
k8s集群报错--etcd验证客户端证书失败,证书报错
weixin_60552163的博客
06-21 480
解决证书报错
K8s v1.21.5版本报错Unable to connect to the server: x509: certificate signed by unknown authority
hedao0515的专栏
06-28 760
K8s v1.21.5 版本Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
K8s系列:实现master高可用,加入新的master节点报错
zhengzaifeidelushang的博客
03-23 2372
K8s系列:实现master高可用,加入新的master节点报错一、k8s实现master高可用,加入新的master节点报错二、解决方法三、再次加入master节点 一、k8s实现master高可用,加入新的master节点报错 k8s实现master高可用,加入新的master节点 kubeadm join 192.168.216.100:6443 --token abcdef.0123456789abcdef \ > --discovery-token-ca-cert-hash
kubeadm init三个master节点遇到的问题
三朝看客
07-20 652
apiserver-advertise-address 集群通告地址,内部网络默认0.0.0.0。–image-repository 由于默认拉取镜像地址k8s.gcr.io国内无法访问。要创建三个master节点,就不能使用其中一台主机的IP,所以申请了一个VIP地址。–kubernetes-version K8s版本,与上面安装的一致。–service-cidr 集群内部虚拟网络,Pod统一访问入口。-control-plane-endpoint 集群vip地址。
Null message body; hope that's ok Error in certificate: Peer's certificate issuer is not recognized
06-11
这个错误提示通常表示证书的颁发机构未被信任,可能是因为证书是自签名的或者是从未知的颁发机构获取的。这种情况下,您可以尝试以下几种方法来解决这个问题: 1. 忽略证书错误:如果您确定目标网站的证书是可信的,您可以在使用命令时添加 --no-check-certificate 参数来忽略证书错误。例如: ``` wget --no-check-certificate https://example.com ``` 或者在使用 curl 命令时添加 -k 参数: ``` curl -k https://example.com ``` 这种方法不太安全,因为它会使您的连接变得容易受到攻击。因此,我们建议您仅在必要时使用此方法。 2. 添加证书:如果您有目标网站的证书,可以将其添加到您的系统证书库中。具体步骤可能会因操作系统而异,但通常可以使用以下命令来完成: ``` sudo cp example.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates ``` 这将把证书复制到 /usr/local/share/ca-certificates/ 目录下,并更新系统证书库。 3. 安装证书颁发机构:如果证书是由未知的颁发机构签署的,您可以尝试安装该颁发机构的根证书。具体步骤可能会因操作系统而异,但通常可以使用以下命令来完成: ``` sudo apt-get install ca-certificates sudo cp example.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates ``` 这将安装 ca-certificates 包,并将证书复制到 /usr/local/share/ca-certificates/ 目录下,并更新系统证书库。 请注意,这些方法都只是解决证书错误的临时方法,如果您需要频繁访问目标网站,建议您与网站管理员联系,以获取正确的证书。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值