v1.24.1_K8S异常之Unable to connect to the server: x509: certificate has expired or is not yet valid

一、问题：k8s证书过期

[root@ecm-master ~]# kubectl get ns
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2024-06-19T12:57:18+08:00 is after 2024-06-06T02:53:12Z

二、解决方案：

2.1 处理步骤

#备份（prod-master1）
cp -r /etc/kubernetes{,_bak}

#停止各个master上组件（prod-master1-3）
crictl ps #查看容器
mv /etc/kubernetes/manifests /etc/kubernetes/manifests_bak  #停止apiserver, controller-manager, scheduler

#更新所有证书(prod-master1上执行)
kubeadm certs renew all

2.2 处理步骤详细情况

查看证书过期时间

[root@ecm-master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 06, 2024 02:53 UTC   <invalid>       ca                      no
apiserver                  Jun 06, 2024 02:53 UTC   <invalid>       ca                      no
apiserver-etcd-client      Jun 06, 2024 02:53 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Jun 06, 2024 02:53 UTC   <invalid>       ca                      no
controller-manager.conf    Jun 06, 2024 02:53 UTC   <invalid>       ca                      no
etcd-healthcheck-client    Jun 06, 2024 02:53 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Jun 06, 2024 02:53 UTC   <invalid>       etcd-ca                 no
etcd-server                Jun 06, 2024 02:53 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Jun 06, 2024 02:53 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Jun 06, 2024 02:53 UTC   <invalid>       ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 04, 2033 02:53 UTC   8y              no
etcd-ca                 Jun 04, 2033 02:53 UTC   8y              no
front-proxy-ca          Jun 04, 2033 02:53 UTC   8y              no

 更新证书

[root@ecm-master ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
[root@ecm-master ~]# echo $?
0

查看更新后的证书时间

[root@ecm-master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 19, 2025 05:07 UTC   364d            ca                      no
apiserver                  Jun 19, 2025 05:07 UTC   364d            ca                      no
apiserver-etcd-client      Jun 19, 2025 05:07 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Jun 19, 2025 05:07 UTC   364d            ca                      no
controller-manager.conf    Jun 19, 2025 05:07 UTC   364d            ca                      no
etcd-healthcheck-client    Jun 19, 2025 05:07 UTC   364d            etcd-ca                 no
etcd-peer                  Jun 19, 2025 05:07 UTC   364d            etcd-ca                 no
etcd-server                Jun 19, 2025 05:07 UTC   364d            etcd-ca                 no
front-proxy-client         Jun 19, 2025 05:07 UTC   364d            front-proxy-ca          no
scheduler.conf             Jun 19, 2025 05:07 UTC   364d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 04, 2033 02:53 UTC   8y              no
etcd-ca                 Jun 04, 2033 02:53 UTC   8y              no
front-proxy-ca          Jun 04, 2033 02:53 UTC   8y              no

三、新的问题①及解决方案

3.1 再次查看kubectl get node，发现有新的错误：error: You must be logged in to the server (Unauthorized)

[root@ecm-master ~]# kubectl get node
error: You must be logged in to the server (Unauthorized)

3.2 上述错误解决方案
备份配置文件 cp -rp $HOME/.kube/config $HOME/.kube/config.bak ，并生成新的配置文件sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
执行kubectl get node查看解决结果

[root@ecm-master ~]# cp -rp $HOME/.kube/config $HOME/.kube/config.bak

[root@ecm-master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp: overwrite ‘/root/.kube/config’? y
[root@ecm-master ~]# kubectl get node
NAME         STATUS   ROLES           AGE    VERSION
ecm-master   Ready    control-plane   378d   v1.24.1
ecm-node1    Ready    <none>          378d   v1.24.1