Join Log in
Score:0
shaktirath avatar Server

/var/lib/kubelet/pki/kubelet.crt is expired, How to renew it?

cn flag
shaktirath

The kubernetes cluster in on 1.21.2. The kubelet is also on 1.21.2

kubelet --version
Kubernetes v1.21.2

kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.2", GitCommit:"092fbfbf53427de67cac1e9fa54aaa09a28371d7", GitTreeState:"clean", BuildDate:"2021-06-16T12:57:56Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}

When i am trying to "kl get no" I am getting below error

kl get no
error: You must be logged in to the server (Unauthorized)
**Note: kl is alias of kubectl**
I checked my /var/lib/kubelet/pki/kubelet.crt and it was expired.

In kubelet.crt, the issuer is below

Subject: CN=aparapu@1591592441
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

Need help in renew this kubelet.crt.

863
0 + 7
in flag
mdaniel
Hi shaktirath welcome to S.F. Without knowing more about how you provisioned your Node, no one can say _for sure_ but in _most cases_ `rm -rf /var/lib/kubelet && rm -rf /etc/kubernetes && systemctl restart kubelet.service` will cause kubelet to go back through the initial cert request process and the apiserver will either prompt you or auto-approve the Node's cert request. Feel free to use `mv` instead of `rm`, and optionally stop kubelet first
0
Reply
shaktirath avatar
cn flag
shaktirath
Why to remove the /etc/kubernetes? I provisioned the node through kubeadm, which is present in kubernetes documentation.
0
Reply
shaktirath avatar
cn flag
shaktirath
Just to add one more thing, kubeadm renew cert is not for /var/lib/kubelet/kubelet.crt. If you are still sure then give me the detail steps.
0
Reply
Mikołaj Głodziak avatar
id flag
Mikołaj Głodziak
Hi @shaktirath, if I good understand your question [manual certificate renewal](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal) should help you. Try to exec `kubeadm certs renew`.
0
Reply
shaktirath avatar
cn flag
shaktirath
This above link is not talking about anything, how to renew the /var/lib/kubelet/kubelet.crt. I tried below link also but unfortunately my kubectl is not working. https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs
0
Reply
Mikołaj Głodziak avatar
id flag
Mikołaj Głodziak
How did you set up your cluster? Are you using bare metal or some cloud providor? Look also at [this similar issue](https://github.com/kubernetes/kubeadm/issues/2186)
0
Reply
shaktirath avatar
cn flag
shaktirath
Yes. My cluster is made up of bare metal.
0
Reply
Score:1
aitorhh avatar Server
my flag
aitorhh

I've seen this issues in many other forums, and I finally found a solutions that works from me.

First, my issues was purely due to the certificate /var/lib/kubelet/pki/kubelet.crt, which I can see expired with either:

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep -A 2 Validity

or

sudo openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout  | grep -A 2 Validity

First, you need to enable --rotate-certificates=true and --rotate-server-certificates=true in your kubelet. In my case, I installed the cluster using kubeadm, so I can edit the /etc/systemd/system/kubelet.service.d/10-kubeadm.conf, and add the following to KUBELET_EXTRA_ARGS:

Environment="KUBELET_EXTRA_ARGS=--rotate-certificates=true --rotate-server-certificates=true --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

In general, it is just adding these flags to the kubelet exeuction /usr/bin/kubelet --rotate-certificates=true --rotate-server-certificates=true.

And, reload and restart kubelet with:

sudo systemctl daemon-reload
sudo service kubelet restart

After the restart, I see something like 14114 log.go:172] http: TLS handshake error from 20.0.0.13:57738: no serving certificate available for the kubelet, which indicates that the certificate needs to be added and approve.

Secondly, we need to approve the csr from kubernetes (this is something I've never look at before...):

kubectl get csr

There will see the certificate waiting to be approved, so just approved:

kubectl certificate approve csr-dlcf6

And your cluster should now have the server kubelet certificate renew. To verify again:

echo -n | openssl s_client -connect localhost:10250 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -text -noout | grep -A 2 Validity

Some notes:

  • We have enabled the rotation for both client and server. Client rotation is also part of the automatic cert renew script (https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
  • After we have enable the rotation the /var/lib/kubelet/pki/kubelet.crt is no longer used, instead the symbolic link /var/lib/kubelet/pki/kubelet-server-current.pem is used and points to the latest rotated certificate.

References:

0 + 0
eg flag
SteveSims
THANK YOU!!! Only place I've seen a solution to this after hours of searching
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.