实测:重启服务器之后k8s启动失败报错Unable to connect to the server:x509: certificate has expired or is not yet valid

已于 2022-03-07 14:32:52 修改
阅读量6.8k 收藏 4
点赞数
分类专栏: k8s 文章标签: docker kubernetes
于 2022-03-07 14:31:21 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/sfdst/article/details/123329743
版权

文章目录

1 问题描述(kubeadm证书/etcd证书过期处理)

重启了服务器,发现k8s启动失败,一直报错连接 Unable to register node "k8s-master01" with API server: Post https://192.168.10.71:6443/api/v1/nodes: net/http: TLS handshake timeout失败
查看api日志如下
{"log":"W1217 03:00:36.668150       1 clientconn.go:1208] grpc: addrConn.createTransport failed to connect to {https://127.0.0.1:2379  \u003cnil\u003e 0 \u003cnil\u003e}. Err :connection error: desc = \"transport: authentication handshake failed: x509: certificate has expired or is not yet valid\". Reconnecting...\n","stream":"stderr","time":"2021-12-17T03:00:36.668329523Z"}
{"log":"panic: context deadline exceeded\n","stream":"stderr","time":"2021-12-17T03:00:39.149697103Z"}
{"log":"\n","stream":"stderr","time":"2021-12-17T03:00:39.149752232Z"}

查询api证书过期时间
[root@k8s-master01 containers]# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep 'Not'
            Not Before: Dec 10 14:14:38 2020 GMT
            Not After : Dec 10 14:14:38 2021 GMT

查询etcd证书过期时间
openssl x509 -in /etc/kubernetes/pki/etcd/healthcheck-client.crt -noout -text |grep ' Not '
            Not Before: Dec 10 14:14:39 2020 GMT
            Not After : Dec 10 14:14:39 2021 GMT

kubeadm 是 kubernetes 提供的一个初始化集群的工具,使用起来非常方便,但是它创建的 apiserver、controller-manager 等证书默认只有一年的有效期,同时 kubelet 证书也只有一年有效期,一年之后 kubernetes 将停止服务。

2 集群恢复方法

方法总结下来有以下几个:
1、官方推荐:一年之内 kubeadm upgrade 更新一次 kubernetes 系统。
2、坊间方法:源代码编译,使得 kubeadm 生成的证书时间边长。
3、手动更新证书( kubeadm alpha phase )。
4、启用自动轮换 kubelet 证书

3 手动替换apiserver证书

3.1 备份证书和配置


cd /etc/kubernetes
# 备份证书和配置
mkdir ./pki_bak
mkdir ./conf_bak

mv pki/apiserver* ./pki_bak/
mv pki/front-proxy-client.* ./pki_bak/

 mv ./admin.conf ./conf_bak/
 mv ./kubelet.conf ./conf_bak/
 mv ./controller-manager.conf ./conf_bak/
 mv ./scheduler.conf ./conf_bak/

3.2 自备的kube-config.yaml文件

开始更新
# 这个是版本比较老的kubeadm
# kube-config.yaml看着点路径
kubeadm alpha certs renew all --config=kube-config.yaml

# 完成后重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器

————————————————
# 这是比较新的kubeadm
kubeadm alpha phase certs all  --config=kube-config.yaml
# 或者
kubeadm alpha phase certs all --apiserver-advertise-address=${MASTER_API_SERVER_IP} --apiserver-cert-extra-sans=主机内网ip,主机公网ip

kubeadm alpha phase kubeconfig all --config=kube-config.yaml(验证)

# 或者
kubeadm alpha phase kubeconfig all --apiserver-advertise-address=${MASTER_API_SERVER_IP}

# 完成后重启kube-apiserver,kube-controller,kube-scheduler,etcd这4个容器
# 如果有多台master,则将第一台生成的相关证书拷贝到其余master即可
cat kube-config.yaml
apiServer:
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.18.0
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}



 将新生成的admin配置文件覆盖掉原本的admin文件
mv $HOME/.kube/config $HOME/.kube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
chmod 777 $HOME/.kube/config

4 通过脚本一键更新证书(本次通过脚本更新证书)

该脚本只处理 master 节点上的证书,node 节点的 kubelet 证书默认自动轮换更新,无需关心过期问题,只需关心 master 节点上的证书即可.

git clone https://github.com/yuyicai/update-kube-cert.git
cd update-kubeadm-cert
chmod 755 update-kubeadm-cert.sh
./update-kubeadm-cert.sh all


将新生成的admin配置文件覆盖掉原本的admin文件
mv $HOME/.kube/config $HOME/.kube/config.old
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
chmod 777 $HOME/.kube/config


脚本内容:
#!/usr/bin/env bash

set -o errexit
set -o pipefail
# set -o xtrace

# set output color
NC='\033[0m'
RED='\033[31m'
GREEN='\033[32m'
YELLOW='\033[33m'
BLUE='\033[34m'

log::err() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%2N%z')][${RED}ERROR${NC}] %b\n" "$@"
}

log::info() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%2N%z')][INFO] %b\n" "$@"
}

log::warning() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%2N%z')][${YELLOW}WARNING${NC}] \033[0m%b\n" "$@"
}

check_file() {
  if [[ ! -r ${1} ]]; then
    log::err "can not find ${1}"
    exit 1
  fi
}

# get x509v3 subject alternative name from the old certificate
cert::get_subject_alt_name() {
  local cert=${1}.crt
  local alt_name

  check_file "${cert}"
  alt_name=$(openssl x509 -text -noout -in "${cert}" | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')
  printf "%s\n" "${alt_name}"
}

# get subject from the old certificate
cert::get_subj() {
  local cert=${1}.crt
  local subj

  check_file "${cert}"
  subj=$(openssl x509 -text -noout -in "${cert}" | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')
  printf "%s\n" "${subj}"
}

cert::backup_file() {
  local file=${1}
  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then
    cp -rp "${file}" "${file}.old-$(date +%Y%m%d)"
    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"
  else
    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"
  fi
}

# check certificate expiration
cert::check_cert_expiration() {
  local cert=${1}.crt
  local cert_expires

  cert_expires=$(openssl x509 -text -noout -in "${cert}" | awk -F ": " '/Not After/{print$2}')
  printf "%s\n" "${cert_expires}"
}

# check kubeconfig expiration
cert::check_kubeconfig_expiration() {
  local config=${1}.conf
  local cert
  local cert_expires

  cert=$(grep "client-certificate-data" "${config}" | awk '{print$2}' | base64 -d)
  cert_expires=$(openssl x509 -text -noout -in <(printf "%s" "${cert}") | awk -F ": " '/Not After/{print$2}')
  printf "%s\n" "${cert_expires}"
}

# check etcd certificates expiration
cert::check_etcd_certs_expiration() {
  local cert
  local certs

  certs=(
    "${ETCD_CERT_CA}"
    "${ETCD_CERT_SERVER}"
    "${ETCD_CERT_PEER}"
    "${ETCD_CERT_HEALTHCHECK_CLIENT}"
    "${ETCD_CERT_APISERVER_ETCD_CLIENT}"
  )

  for cert in "${certs[@]}"; do
    if [[ ! -r ${cert} ]]; then
      printf "%-50s%-30s\n" "${cert}.crt" "$(cert::check_cert_expiration "${cert}")"
    fi
  done
}

# check master certificates expiration
cert::check_master_certs_expiration() {
  local certs
  local kubeconfs
  local cert
  local conf

  certs=(
    "${CERT_CA}"
    "${CERT_APISERVER}"
    "${CERT_APISERVER_KUBELET_CLIENT}"
    "${FRONT_PROXY_CA}"
    "${FRONT_PROXY_CLIENT}"
  )

  kubeconfs=(
    "${CONF_CONTROLLER_MANAGER}"
    "${CONF_SCHEDULER}"
    "${CONF_ADMIN}"
  )

  printf "%-50s%-30s\n" "CERTIFICATE" "EXPIRES"

  for conf in "${kubeconfs[@]}"; do
    if [[ ! -r ${conf} ]]; then
      printf "%-50s%-30s\n" "${conf}.config" "$(cert::check_kubeconfig_expiration "${conf}")"
    fi
  done

  for cert in "${certs[@]}"; do
    if [[ ! -r ${cert} ]]; then
      printf "%-50s%-30s\n" "${cert}.crt" "$(cert::check_cert_expiration "${cert}")"
    fi
  done
}

# check all certificates expiration
cert::check_all_expiration() {
  cert::check_master_certs_expiration
  cert::check_etcd_certs_expiration
}

# generate certificate whit client, server or peer
# Args:
#   $1 (the name of certificate)
#   $2 (the type of certificate, must be one of client, server, peer)
#   $3 (the subject of certificates)
#   $4 (the validity of certificates) (days)
#   $5 (the name of ca)
#   $6 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)
cert::gen_cert() {
  local cert_name=${1}
  local cert_type=${2}
  local subj=${3}
  local cert_days=${4}
  local ca_name=${5}
  local alt_name=${6}
  local ca_cert=${ca_name}.crt
  local ca_key=${ca_name}.key
  local cert=${cert_name}.crt
  local key=${cert_name}.key
  local csr=${cert_name}.csr
  local common_csr_conf='distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n'

  for file in "${ca_cert}" "${ca_key}" "${cert}" "${key}"; do
    check_file "${file}"
  done

  case "${cert_type}" in
  client)
    csr_conf=$(printf "%bextendedKeyUsage = clientAuth\n" "${common_csr_conf}")
    ;;
  server)
    csr_conf=$(printf "%bextendedKeyUsage = serverAuth\nsubjectAltName = %b\n" "${common_csr_conf}" "${alt_name}")
    ;;
  peer)
    csr_conf=$(printf "%bextendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = %b\n" "${common_csr_conf}" "${alt_name}")
    ;;
  *)
    log::err "unknow, unsupported certs type: ${YELLOW}${cert_type}${NC}, supported type: client, server, peer"
    exit 1
    ;;
  esac

  # gen csr
  openssl req -new -key "${key}" -subj "${subj}" -reqexts v3_ext \
    -config <(printf "%b" "${csr_conf}") \
    -out "${csr}" >/dev/null 2>&1
  # gen cert
  openssl x509 -in "${csr}" -req -CA "${ca_cert}" -CAkey "${ca_key}" -CAcreateserial -extensions v3_ext \
    -extfile <(printf "%b" "${csr_conf}") \
    -days "${cert_days}" -out "${cert}" >/dev/null 2>&1

  rm -f "${csr}"
}

cert::update_kubeconf() {
  local cert_name=${1}
  local kubeconf_file=${cert_name}.conf
  local cert=${cert_name}.crt
  local key=${cert_name}.key
  local subj
  local cert_base64

  check_file "${kubeconf_file}"
  # get the key from the old kubeconf
  grep "client-key-data" "${kubeconf_file}" | awk '{print$2}' | base64 -d >"${key}"
  # get the old certificate from the old kubeconf
  grep "client-certificate-data" "${kubeconf_file}" | awk '{print$2}' | base64 -d >"${cert}"
  # get subject from the old certificate
  subj=$(cert::get_subj "${cert_name}")
  cert::gen_cert "${cert_name}" "client" "${subj}" "${CERT_DAYS}" "${CERT_CA}"
  # get certificate base64 code
  cert_base64=$(base64 -w 0 "${cert}")

  # set certificate base64 code to kubeconf
  sed -i 's/client-certificate-data:.*/client-certificate-data: '"${cert_base64}"'/g' "${kubeconf_file}"

  rm -f "${cert}"
  rm -f "${key}"
}

cert::update_etcd_cert() {
  local subj
  local subject_alt_name
  local cert

  # generate etcd server,peer certificate
  # /etc/kubernetes/pki/etcd/server
  # /etc/kubernetes/pki/etcd/peer
  for cert in ${ETCD_CERT_SERVER} ${ETCD_CERT_PEER}; do
    subj=$(cert::get_subj "${cert}")
    subject_alt_name=$(cert::get_subject_alt_name "${cert}")
    cert::gen_cert "${cert}" "peer" "${subj}" "${CERT_DAYS}" "${ETCD_CERT_CA}" "${subject_alt_name}"
    log::info "${GREEN}updated ${BLUE}${cert}.conf${NC}"
  done

  # generate etcd healthcheck-client,apiserver-etcd-client certificate
  # /etc/kubernetes/pki/etcd/healthcheck-client
  # /etc/kubernetes/pki/apiserver-etcd-client
  for cert in ${ETCD_CERT_HEALTHCHECK_CLIENT} ${ETCD_CERT_APISERVER_ETCD_CLIENT}; do
    subj=$(cert::get_subj "${cert}")
    cert::gen_cert "${cert}" "client" "${subj}" "${CERT_DAYS}" "${ETCD_CERT_CA}"
    log::info "${GREEN}updated ${BLUE}${cert}.conf${NC}"
  done

  # restart etcd
  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true
  log::info "restarted etcd"
}

cert::update_master_cert() {
  local subj
  local subject_alt_name
  local conf

  # generate apiserver server certificate
  # /etc/kubernetes/pki/apiserver
  subj=$(cert::get_subj "${CERT_APISERVER}")
  subject_alt_name=$(cert::get_subject_alt_name "${CERT_APISERVER}")
  cert::gen_cert "${CERT_APISERVER}" "server" "${subj}" "${CERT_DAYS}" "${CERT_CA}" "${subject_alt_name}"
  log::info "${GREEN}updated ${BLUE}${CERT_APISERVER}.crt${NC}"

  # generate apiserver-kubelet-client certificate
  # /etc/kubernetes/pki/apiserver-kubelet-client
  subj=$(cert::get_subj "${CERT_APISERVER_KUBELET_CLIENT}")
  cert::gen_cert "${CERT_APISERVER_KUBELET_CLIENT}" "client" "${subj}" "${CERT_DAYS}" "${CERT_CA}"
  log::info "${GREEN}updated ${BLUE}${CERT_APISERVER_KUBELET_CLIENT}.crt${NC}"

  # generate kubeconf for controller-manager,scheduler and kubelet
  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf
  for conf in ${CONF_CONTROLLER_MANAGER} ${CONF_SCHEDULER} ${CONF_ADMIN} ${CONF_KUBELET}; do
    if [[ ${conf##*/} == "kubelet" ]]; then
      # https://github.com/kubernetes/kubeadm/issues/1753
      set +e
      grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf >/dev/null 2>&1
      kubelet_cert_auto_update=$?
      set -e
      if [[ "$kubelet_cert_auto_update" == "0" ]]; then
        log::info "does not need to update kubelet.conf"
        continue
      fi
    fi

    # update kubeconf
    cert::update_kubeconf "${conf}"
    log::info "${GREEN}updated ${BLUE}${conf}.conf${NC}"

    # copy admin.conf to ${HOME}/.kube/config
    if [[ ${conf##*/} == "admin" ]]; then
      mkdir -p "${HOME}/.kube"
      local config=${HOME}/.kube/config
      local config_backup
      config_backup=${HOME}/.kube/config.old-$(date +%Y%m%d)
      if [[ -f ${config} ]] && [[ ! -f ${config_backup} ]]; then
        cp -fp "${config}" "${config_backup}"
        log::info "backup ${config} to ${config_backup}"
      fi
      cp -fp "${conf}.conf" "${HOME}/.kube/config"
      log::info "copy the admin.conf to ${HOME}/.kube/config"
    fi
  done

  # generate front-proxy-client certificate
  # /etc/kubernetes/pki/front-proxy-client
  subj=$(cert::get_subj "${FRONT_PROXY_CLIENT}")
  cert::gen_cert "${FRONT_PROXY_CLIENT}" "client" "${subj}" "${CERT_DAYS}" "${FRONT_PROXY_CA}"
  log::info "${GREEN}updated ${BLUE}${FRONT_PROXY_CLIENT}.crt${NC}"

  # restart apiserver, controller-manager, scheduler and kubelet
  for item in "apiserver" "controller-manager" "scheduler"; do
    docker ps | awk '/k8s_kube-'${item}'/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true
    log::info "restarted ${item}"
  done
  systemctl restart kubelet || true
  log::info "restarted kubelet"
}

main() {
  local node_type=$1

  CERT_DAYS=3650

  KUBE_PATH=/etc/kubernetes
  PKI_PATH=${KUBE_PATH}/pki

  # master certificates path
  # apiserver
  CERT_CA=${PKI_PATH}/ca
  CERT_APISERVER=${PKI_PATH}/apiserver
  CERT_APISERVER_KUBELET_CLIENT=${PKI_PATH}/apiserver-kubelet-client
  CONF_CONTROLLER_MANAGER=${KUBE_PATH}/controller-manager
  CONF_SCHEDULER=${KUBE_PATH}/scheduler
  CONF_ADMIN=${KUBE_PATH}/admin
  CONF_KUBELET=${KUBE_PATH}/kubelet
  # front-proxy
  FRONT_PROXY_CA=${PKI_PATH}/front-proxy-ca
  FRONT_PROXY_CLIENT=${PKI_PATH}/front-proxy-client

  # etcd certificates path
  ETCD_CERT_CA=${PKI_PATH}/etcd/ca
  ETCD_CERT_SERVER=${PKI_PATH}/etcd/server
  ETCD_CERT_PEER=${PKI_PATH}/etcd/peer
  ETCD_CERT_HEALTHCHECK_CLIENT=${PKI_PATH}/etcd/healthcheck-client
  ETCD_CERT_APISERVER_ETCD_CLIENT=${PKI_PATH}/apiserver-etcd-client

  case ${node_type} in
  # etcd)
  # # update etcd certificates
  #   cert::update_etcd_cert
  # ;;
  master)
    # check certificates expiration
    cert::check_master_certs_expiration
    # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)
    cert::backup_file "${KUBE_PATH}"
    # update master certificates and kubeconf
    log::info "${GREEN}updating...${NC}"
    cert::update_master_cert
    log::info "${GREEN}done!!!${NC}"
    # check certificates expiration after certificates updated
    cert::check_master_certs_expiration
    ;;
  all)
    # check certificates expiration
    cert::check_all_expiration
    # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)
    cert::backup_file "${KUBE_PATH}"
    # update etcd certificates
    log::info "${GREEN}updating...${NC}"
    cert::update_etcd_cert
    # update master certificates and kubeconf
    cert::update_master_cert
    log::info "${GREEN}done!!!${NC}"
    # check certificates expiration after certificates updated
    cert::check_all_expiration
    ;;
  check)
    # check certificates expiration
    cert::check_all_expiration
    ;;
  *)
    log::err "unknown, unsupported cert type: ${node_type}, supported type: \"all\", \"master\""
    printf "Documentation: https://github.com/yuyicai/update-kube-cert
  example:
    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf
      /etc/kubernetes
      ├── admin.conf
      ├── controller-manager.conf
      ├── scheduler.conf
      ├── kubelet.conf
      └── pki
          ├── apiserver.crt
          ├── apiserver-etcd-client.crt
          ├── apiserver-kubelet-client.crt
          ├── front-proxy-client.crt
          └── etcd
              ├── healthcheck-client.crt
              ├── peer.crt
              └── server.crt
    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf
      /etc/kubernetes
      ├── admin.conf
      ├── controller-manager.conf
      ├── scheduler.conf
      ├── kubelet.conf
      └── pki
          ├── apiserver.crt
          ├── apiserver-kubelet-client.crt
          └── front-proxy-client.crt
"
    exit 1
    ;;
  esac
}

main "$@"


验证:
apiserver证书
 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not '
            Not Before: Dec 17 08:49:46 2021 GMT
            Not After : Dec 15 08:49:46 2031 GMT
etcd证书
 openssl x509 -in /etc/kubernetes/pki/etcd/healthcheck-client.crt -noout -text |grep ' Not '
            Not Before: Dec 17 08:49:27 2021 GMT
            Not After : Dec 15 08:49:27 2031 GMT

因为caclio依赖etcd证书,所以caclio服务使用证书也要更新

5 启用自动轮换kubelet证书

kubelet证书分为server和client两种, k8s 1.9默认启用了client证书的自动轮换,但server证书自动轮换需要用户开启.

5.1 增加kubelet参数

/usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
Environment="KUBELET_EXTRA_ARGS=--feature-gates=RotateKubeletServerCertificate=true"

5.2 增加controller-manager参数

# 在/etc/kubernetes/manifests/kube-controller-manager.yaml 添加如下参数
  - command:
    - kube-controller-manager
    - --experimental-cluster-signing-duration=87600h0m0s
    - --feature-gates=RotateKubeletServerCertificate=true
    - ....

5.3 创建rbac对象

# 创建rbac对象,允许节点轮换kubelet server证书:
cat > ca-update.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests/selfnodeserver
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubeadm:node-autoapprove-certificate-server
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:nodes
EOF

kubectl create –f ca-update.yaml

更多文章可以访问我博客: https://devopstack.cn

随小风
关注
  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
ERROR 1862 (HY000): Your password has expired. To log in you must change it using a …..
01-19
ERROR 1862 (HY000): Your password has expired. To log in you must change it using a client that supports expired passwords 出现问题原因: 可能是你在安装 MySQL过程中,通过mysqld –initialize 初始化 ...
ERROR 1862 (HY000): Your password has expired. To log in you must change it using a .....
09-09
在MySQL的使用过程中,有时会遇到“ERROR 1862 (HY000): Your password has expired. To log in you must change it using a client that supports expired passwords”这样的错误提示,这表明你的MySQL密码已经过期...
Unable to connect to the server: x509: certificate has expired or is not yet valid
weixin_54104864的博客
06-15 5938
【代码】Unable to connect to the server: x509: certificate has expired or is not yet valid
K8S异常之Unable to connect to the server: x509: certificate has expired or is not yet valid
一掬净土
01-03 8653
K8S异常之Unable to connect to the server: x509: certificate has expired or is not yet valid
v1.24.1_K8S异常之Unable to connect to the server: x509: certificate has expired or is not yet valid
最新发布
xjxy52o的博客
06-19 308
v1.24.1_K8S异常之Unable to connect to the server: x509: certificate has expired or is not yet valid
解决:Unable to connect to the server: x509: certificate signed by unknown authority (possibly because
m0_55691056的博客
04-04 3923
运行kubeadm reset清除配置后,对集群初始化也是成功的。然而当运行 kubectl get nodes 时又报错..原因:执行kubeadm reset命令后没有删除创建的.kube目录,重新创建集群就会出现这个问题!
查看k8s证书过期时间:各组件
学亮编程手记
02-22 4875
[root@k8s-n0 kuboard-install]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' [check-expi
k8s报错Unable to connect to the server: x509: certificate has expired or is not yet valid
qq_42448043的博客
01-02 8335
问题现象:kubernetes集群部署过程中,kubectl相关命令不可用,报错Unable to connect to the server: x509: certificate has expired or is not yet valid。过一段时间又可以正常使用。 解决方案:检查生成证书的机器的时间是否与master、node节点时间同步,若生成证书机器的时间早于master、node...
kubectl Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed
寂夜了无痕的博客
05-16 1250
kubectl Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed
远程centos7服务器上的mongodb报错serverSelectionTimeoutMS’
01-09
navicat远程报错信息如下图  排查了一会 有发现: 一个问题就是:mongodb.conf 配置文件 配置把 binip 给注释掉 # bindip=127.0.0.1 # 另外加上 journal=true # journal日志 注意:修改完配置文件需要重启...
k8s证书过期处理方案
11-17
当你尝试执行`kubectl`命令时,如果出现类似“Unable to connect to the server: x509: certificate has expired or is not yet valid”的错误,这表明证书已过期或即将过期。你还可以通过查看Kubernetes的日志来...
ORA-28001 the password has expired密码过期.docx
02-22
在Oracle数据库管理中,"ORA-28001 the password has expired" 是一个常见的错误,它表明数据库用户的密码已经超过了预设的有效期限,导致用户无法正常登录。这个错误主要出现在Oracle 11G及更高版本中,因为这些...
ChatSecure-Push-Server:一种针对隐私的推送服务器的实验设计
02-26
ChatSecure推送服务器 注重隐私的推送服务器的实验设计。部署到Heroku 部署完成后,使用通过python push/manage.py delete_expired_tokens命令安排每日过期的令牌清除:手动安装您将需要使用您选择的方法安装...
使用安装的nvm来安装node各版本v9.6.1
06-29
可能会出现证书报错,可以使用以下命令解决: ``` [root@bogon ~]# npm config set strict-ssl false [root@bogon ~]# npm install pm2 -g ``` 安装完成后,我们可以使用以下命令来验证 pm2 的版本: ``` [root@...
wso2 how to add ssl certificate.pdf
06-09
wso2 新增OpenSSL生成並使用CA根證書籤名Keytool生成的證書請求 相關流程心智圖展開
sslexpiry.js:密切注意SSL证书的到期日期
04-12
该脚本连接到一组给定的服务器,获取并验证其SSL证书,并检查到期日期等。如果出现以下情况,它将向您发出警告: 连接失败, SSL协商无法成功, SSL证书无法验证, SSL证书与服务器主机名不匹配, 服务器不支持...
kubesphere 访问失败
weixin_41927873的博客
07-28 3644
问题记录 重启kubesphere的docker后,ks-controller-manager-748c98775c-dn8th服务一直处于crashloopbackoff 状态。 kubectl log pod ks-controller-manager-748c98775c-q8gls --namespace=kubesphere-system 查看日志 报错:failed to connect to ldap service, please check ldap status, error:
使用nvm下载node版本报错“https://npm.taobao.org/mirrors/node/latest/SHASUMS256.txt“: tls: failed to verify ce
LRQQHM的博客
03-04 3235
因为淘宝的镜像域名更换,由于npm.taobao.org域名HTTPS证书到期更换为npmmirror.com,那么就会导致之前使用该镜像域名下载依赖的安装包会出现问题。找到自己安装nvm的文件夹 找到settings.txt。
HTTPS双向认证
Starr
02-28 6967
文章目录双向认证服务端客户端(问题残留) 双向认证 C/S两端分别生成密钥对,交换公钥,基于公钥验证另一端。 第一步,创建密钥对,把公钥存储为自签名、PEM编码的证书。用openssl即可,这里以一个HTTPS服务端为例: openssl req -nodes -x509 -newkey rsa:4096 -keyout serverKey.pem -out serverCrt.pem -days 365 serverKey.pem包含服务器的私钥,需要保护;serverCrt.pem包含服务器的公钥,用
安装k8s配置网络插件时Unable to connect to the server: x509: certificate has expired or is not yet valid
05-13
这个问题可能是由于Kubernetes API Server证书过期或者证书还没有生效导致的。你可以通过以下步骤解决这个问题: 1. 确认证书是否已过期或者还未生效,可以通过以下命令检查: ```bash openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep "Not After" openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep "Not Before" ``` 2. 如果证书过期,则需要重新生成证书并更新kube-apiserver配置文件。更新证书的步骤可以参考Kubernetes官方文档的[证书过期和轮换](https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#%E8%AF%81%E4%B9%A6%E8%BF%87%E6%9C%9F%E5%92%8C%E8%BD%AE%E6%8D%A2)。 3. 如果证书还未生效,则需要等待证书生效后再尝试安装网络插件。 4. 如果以上步骤都没有解决问题,可以尝试重新部署Kubernetes集群。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值