Unable to connect to the server: x509: certificate has expired or is not yet valid

Introduction

By default, if you install your cluster with kubeadm it generates Kubernetes certificates only for 1 year. When you see error “Unable to connect to the server: x509: certificate has expired or is not yet valid” it means that you installed your cluster 1 year ago or renewed certificates year ago. We will show ho to resolve certificate issue below.

How to fix “Unable to connect to the server: x509: certificate has expired or is not yet valid”

If you have kubernetes with verison 1.15 and higher it can be fixed with single command:

kubeadm alpha certs renew all

This command should update all certificates for the Kubernetes management system. After that you will need to restart Kubernetes services with command:

systemctl restart kubelet

If you have Kubernetes with version 1.16+ all certificates can be upgraded with the single command:

kubeadm upgrade

So, if you upgrade your cluster regularly you shouldn’t have any trouble with certificates. But if you don’t upgrade your cluster We will describe below how to upgrade Kubernetes on the oldest clusters.

How to fix “Unable to connect to the server: x509: certificate has expired or is not yet valid” on the old Kubernetes clusters
  1. Upgrade your cluster. The following action can cause many troubles because upgrades to 1.15 can cause an upgrade of kubernetes-cni and other components which cause long downtime. Also, it requires re-join of all nodes of the cluster. But, it will keep your software up-to-date.
  2. You can simply download kubeadm version 1.17 and upgrade the certificate like it was described in this article. Download example:
curl -L -o /tmp/kubeadm https://dl.k8s.io/release/v1.17.4/bin/linux/amd64/kubeadm

3. Enable insecure connection to you apiserver. We don’t recommend to use this way, but if you don’t have ability to upgrade your cluster it will be a best solution for you. To do it you need to add following lines to the /etc/kubernetes/manifest/kube-apiserver.yaml:

    - --insecure-port=6339
    - --insecure-bind-address=127.0.0.1

After that you’ll need to modify you ~/.kube/config with lines:

    server: http://127.0.0.1:6339
    insecure-skip-tls-verify: true

That’s all. We’ve described all methods how to fix “Unable to connect to the server: x509: certificate has expired or is not yet valid” error.

You can find more vulnerabilities by link: https://linuxnotes.org/category/kubernetes-guides/

Viva La Linux!

Leave A Comment