Unable to connect to the server: x509: certificate has expired or is not yet valid

本文主要是介绍Unable to connect to the server: x509: certificate has expired or is not yet valid，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

今天本机查看k8s环境的pod时 ，提示链接k8s 服务失败：

baily@baily  ~   kubectl -n david-test get pod -o wide
Unable to connect to the server: x509: certificate has expired or is not yet valid

k8s解决证书过期官方文档：点击查看
帮助解决文档：点击查看

查看是k8s master 节点证书过期了，登录master服务器，进入 /etc/kubernetes/ 查看：

root@lucy-dev2:~/go/src/lucy/david/build# cd /etc/kubernetes
root@lucy-dev2:/etc/kubernetes# ls
admin.conf  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf  ssl
root@lucy-dev2:/etc/kubernetes# cd  pki
root@lucy-dev2:/etc/kubernetes/pki# ls
apiserver.crt      apiserver-etcd-client.key     apiserver-kubelet-client.crt   ca.crt  etcd             front-proxy-ca.key      front-proxy-client.key  sa.pubroot@lucy-dev2:/etc/kubernetes/pki# openssl x509 -in apiserver.crt -noout -text |grep ' Not '   # 查看是否过期 Not Before: Apr 14 15:06:14 2020 GMTNot After : Apr 14 15:06:14 2021 GMTroot@lucy-dev2:/etc/kubernetes/pki# kubeadm alpha certs check-expiration   #检查k8s环境证书是否过期
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configurationW0416 12:01:16.329068   29740 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Apr 14, 2021 15:06 UTC   <invalid>                               no      
apiserver                  Apr 14, 2021 15:06 UTC   <invalid>       ca                      no      
apiserver-etcd-client      Apr 14, 2021 15:06 UTC   <invalid>       etcd-ca                 no      
apiserver-kubelet-client   Apr 14, 2021 15:06 UTC   <invalid>       ca                      no      
controller-manager.conf    Apr 14, 2021 15:06 UTC   <invalid>                               no      
etcd-healthcheck-client    Apr 14, 2021 15:06 UTC   <invalid>       etcd-ca                 no      
etcd-peer                  Apr 14, 2021 15:06 UTC   <invalid>       etcd-ca                 no      
etcd-server                Apr 14, 2021 15:06 UTC   <invalid>       etcd-ca                 no      
front-proxy-client         Apr 14, 2021 15:06 UTC   <invalid>       front-proxy-ca          no      
scheduler.conf             Apr 14, 2021 15:06 UTC   <invalid>                               no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 12, 2030 15:06 UTC   8y              no      
etcd-ca                 Apr 12, 2030 15:06 UTC   8y              no      
front-proxy-ca          Apr 12, 2030 15:06 UTC   8y              no    

经查看k8s master 组件 证书都过期了，有效期是一年，解决问题：
1, 备份一下 /etc /kubernetes /pki 目录下的所有文件。

2, 手动更新所有证书，执行命令

kubeadm alpha certs renew all

3，查看证书有效期是否更新

root@lucy-dev2:/etc/kubernetes/pki# openssl x509 -in apiserver.crt -noout -text |grep ' Not 'Not Before: Apr 14 15:06:14 2020 GMTNot After : Apr 16 04:07:36 2022 GMT

4, 在master节点上将/etc/kubernetes目录下的所有配置文件备份

5, 更新用户配置：执行下面多个命令

kubeadm alpha kubeconfig user --client-name=admin
kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin  > /etc/kubernetes/admin.conf
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf

6, 用更新后的admin.conf替换/root/.kube/config文件

cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

更新后，把master 节点服务器的 home目录下的 .kube 文件夹 复制到本机的/home/用户目录下 ，就可以直接操作 k8s 。

7, 重启所有master节点上的apiserver和scheduler两个系统组件

systemctl restart kube-apiserver
systemctl restart kube-scheduler

8, 本机执行kubectl 命令

baily@baily  ~  kubectl -n david-test get po -o wide
NAME                                                 READY   STATUS    RESTARTS   AGE     IP             NODE      NOMINATED NODE   READINESS GATES
david-test-api-canon-7d889b96b5-jn88z                1/1     Running   0          2d22h   10.244.2.189   worker1   <none>           <none>
david-test-api-regulatory-7bfb546894-cfnxf           1/1     Running   0          15d     10.244.2.156   worker1   <none>           <none>
david-test-api-threepartyplatform-7ccb58dcf8-hc9mw   1/1     Running   0          15d     10.244.2.158   worker1   <none>           <none>
david-test-db-asset-96489d7c5-n6v5q                  1/1     Running   0          14d     10.244.2.183   worker1   <none>           <none>
david-test-db-event-8688566f-mw9hd                   1/1     Running   0          15d     10.244.0.253   master1   <none>           <none>
david-test-db-user-77d6bddd98-h8ckt                  1/1     Running   0          15d     10.244.0.252   master1   <none>           <none>

完成。

这篇关于Unable to connect to the server: x509: certificate has expired or is not yet valid的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---