Join Log in
Score:0
cryptoparty avatar Server

Error checking external CA condition for ca certificate authority

in flag
cryptoparty

Not sure how to solve the problem with the certificates, maybe someone has encountered this problem?

kernel

uname -a
Linux node2 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

OS

 cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

kubectl

kubectl version

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:41:02Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-31T09:11:37+03:00 is after 2023-03-25T05:32:30Z

kubeadm

kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:38:53Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Problem:

When I try to get nodes:

 kubectl get nodes
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-03-31T09:15:30+03:00 is after 2023-03-25T05:32:30Z

Trying to renew:

kubeadm alpha certs renew all
W0331 09:15:52.880115    4475 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself
Error checking external CA condition for ca certificate authority: failure loading certificate for API server: failed to load certificate: the certificate has expired
To see the stack trace of this error execute with --v=5 or higher

Kubeam renew:

kubeadm alpha phase certs apiserver --apiserver-advertise-add                                                                               ress 10.2.27.11
unknown flag: --apiserver-advertise-address
To see the stack trace of this error execute with --v=5 or higher
[root@node2 pki]#
[root@node2 pki]#
[root@node2 pki]# kubeadm alpha phase certs apiserver --apiserver-advertise-addr                                                                               ess 10.2.27.11
unknown flag: --apiserver-advertise-address
To see the stack trace of this error execute with --v=5 or higher
[root@node2 pki]# sudo kubeadm alpha certs renew apiserver
sudo: kubeadm: command not found
[root@node2 pki]# kubeadm alpha certs renew apiserver
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get c                                                                               m kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default co                                                                               nfiguration

W0404 13:54:08.589075   17136 configset.go:348] WARNING: kubeadm cannot validate                                                                                component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io                                                                               ]
MISSING! certificate for serving the Kubernetes API

kubeadm alpha certs renew apiserver
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

W0404 13:54:26.555686   17270 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate for serving the Kubernetes API
[root@node2 pki]# kubeadm alpha certs renew apiserver-etcd-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

W0404 13:54:32.885559   17375 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate the apiserver uses to access etcd
[root@node2 pki]# kubeadm alpha certs renew apiserver-kubelet-client
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

W0404 13:54:37.895333   17459 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
MISSING! certificate for the API server to connect to kubelet
384
1 + 0
Score:1
Sai Chandini Routhu avatar Server
dk flag
Sai Chandini Routhu

This error Unable to connect to the server: x509: certificate has expired or is not yet valid indicates that on the DX APM OnPrem installation, the Kubernetes system creates its own key/certificate, and the validity is 1 year and then expires.

Resolution:

Try the resolution steps in this doc.

As mentioned in this git link you need to follow below steps:

1)Renew expired certificates, use kubeadm.

sudo kubeadm alpha certs renew apiserver

sudo kubeadm alpha certs renew apiserver-etcd-client

sudo kubeadm alpha certs renew apiserver-kubelet-client

sudo kubeadm alpha certs renew front-proxy-client

2)Generate new kube-configs

sudo kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin  > admin.conf

sudo kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > controller-manager.conf

sudo kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf

sudo kubeadm alpha kubeconfig user --client-name system:kube-scheduler > scheduler.conf

3)Move the newly generated Kube-configs to replace the existing kube configs.

sudo mv admin.conf /etc/kubernetes/

sudo mv controller-manager.conf /etc/kubernetes/

sudo mv kubelet.conf /etc/kubernetes/

sudo mv scheduler.conf /etc/kubernet

4)Restart the master components.

sudo kill -s SIGHUP $(pidof kube-apiserver)

sudo kill -s SIGHUP $(pidof kube-controller-manager)

sudo kill -s SIGHUP $(pidof kube-scheduler

Refer this official doc for more information about Certificate Management with kubeadm.

+ 6
cryptoparty avatar
in flag
cryptoparty
at the end of my post the output of kubeadm alpha certs renew all with an error
0
Reply
Sai Chandini Routhu avatar
dk flag
Sai Chandini Routhu
@cryptoparty Please check my edited Answer
0
Reply
cryptoparty avatar
in flag
cryptoparty
Error even on first step
0
Reply
Sai Chandini Routhu avatar
dk flag
Sai Chandini Routhu
run this command `mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config` and let me know if this work.
0
Reply
cryptoparty avatar
in flag
cryptoparty
Error reading configuration from the Cluster. Falling back to default configuration W0404 16:26:33.714086 27778 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] MISSING! certificate for serving the Kubernetes API
0
Reply
cryptoparty avatar
in flag
cryptoparty
Now its ok! thx You, Do I need to do the same on another master nodes?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.