Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

root cert expired after a month, cluster does not respond anymore

See original GitHub issue

running microk8s inspect does not work as well as talking to the cluster. error is this: x509: certificate has expired or is not yet valid

How can i renew the root cert?

How can i make it last longer than a month?

Issue Analytics

State:
Created 3 years ago
Reactions:5
Comments:21 (2 by maintainers)

Top GitHub Comments

35reactions

ktsakalozoscommented, Apr 28, 2020

The script I have for now is here: https://gist.github.com/ktsakalozos/5de8d4c86c976eeef0242cc39fdf82b2

It would be great if anyone would run it and provide feedback.

curl https://gist.githubusercontent.com/ktsakalozos/5de8d4c86c976eeef0242cc39fdf82b2/raw/f29ff555346435154553d35ff64a8282f867011f/refresh-certs.sh -o refresh.sh
chmod +x refresh.sh
sudo ./refresh.sh

After running the script the pods in the cluster should go into an unknown state and restart after some seconds.

The intention is to place the above script in a microk8s.refresh-certs command to address this issue in affected deployments.

@balchua the kubeconfig files use tokens but they also carry the ca.cert that is why I think they need to be recreated.

2reactions

realGcommented, May 26, 2020

I hit upon the same issue just now, had to run refresh.sh and also had to give the coredns pod a kick, thank you @PeterSR for sharing that.

Everything seems to be back to working order, however I cannot pull an image from a private repo now.

  Normal   Scheduled  17m                  default-scheduler  Successfully assigned homelab/newimage-66c8d88f65-lhvdz to kube
  Normal   Pulling    15m (x4 over 17m)    kubelet, kube      Pulling image "registry.gitlab.com/realg/kube/newimage:20.05"
  Warning  Failed     15m (x4 over 17m)    kubelet, kube      Failed to pull image "registry.gitlab.com/realg/kube/newimage:20.05": rpc error: code = Unknown desc = failed to resolve image "registry.gitlab.com/realg/kube/newimage:20.05": no available registry endpoint: failed to fetch anonymous token: unexpected status: 403 Forbidden
  Warning  Failed     15m (x4 over 17m)    kubelet, kube      Error: ErrImagePull
  Normal   BackOff    11m (x21 over 17m)   kubelet, kube      Back-off pulling image "registry.gitlab.com/realg/kube/newimage:20.05"
  Warning  Failed     113s (x65 over 17m)  kubelet, kube      Error: ImagePullBackOff

The image is definitely there, I can pull it with docker from another host using the same dockerconfig.json, I haven’t made any other changes to my cluster so that has me thinking that it’s related to refreshing the expired certs.

Has anyone had the same issue?

Top Results From Across the Web

root cert expired after a month, cluster does not respond ...

I've seen this issue happen when the date of the machine changed. The certs duration is atleast 365 days.

DST Root CA X3 Certificate Expiration Problems and Fix

Today, the DST Root CA X3 certificate expired, leaving many devices on the internet having issues connecting to services and certificates ...

Failed to renew RootCA , Certificate #0(expired) - Microsoft Q&A

A certificate in the chain for CA certificate 0 for mtahk-XXX-CA has expired. A required certificate is not within its validity period when ......

Backend services root certificate expiration - Server Fault

The root certificate will expire in 2022; The intermediate certificates will expire in 2031 · Everything was working normally after one hour; We ......

Let's Encrypt's Root Certificate is expiring! - Scott Helme

On 30th September 2021, the root certificate that Let's Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire.