6
Rancher(K3S)证书过期解决方法
source link: https://blog.51cto.com/u_13972012/5905988
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Rancher(K3S)证书过期解决方法
精选 原创1,问题(证书过期):
Unable to connect to the server: x509: certificate has expired or is not yet valid
k3s证书逻辑: k3s证书有效期默认是1年,如果证书已经过期或剩余的时间不足90天,则在重启k3s时就会自动轮转证书。但在K3s v1.19.1之前的版本中,由于BUG( https://github.com/k3s-io/k3s/issues/1621,会导致k3s重启无法自动轮转证书,此时则需要手动轮转证书;
2,解决(手动轮转证书)
1)关闭时间同步
timedatectl set-ntp no
2)查看k3s证书过期时间
*证书路径根据自身k3s实际安装路径
for i in `ls //lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
*在此可以看到k3s证书有效期截至的具体时间;
3)设置系统时间到过期前1个月(恢复k3s集群可用)
date -s 20220921 //临时设置即可
4)删除secret k3s-serving
kubectl --insecure-skip-tls-verify -n kube-system delete secrets k3s-serving
5)删除系统中的文件dynamic-cert.json
rm -f //lib/rancher/k3s/server/tls/dynamic-cert.json
6)重启k3s
systemctl restart k3s
7)查看过期时间(默认延期1年)
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
8)打开时间同步,同步当前时间;
timedatectl set-ntp yes
9)验证k3s集群状态正常:
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK