loading...

Microk8s: Unable to connect to the server: x509: certificate has expired or is not yet valid

boris profile image Boris Quiroz ・1 min read

This is an error that you might see once every 10 years, so it's very likely you'll forget the solution.
The behavior is the following: When trying to do anything that interacts with API server you'll get the following error:

boris@ubuntu:~$ microk8s kubectl get all --all-namespaces
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2020-05-03T23:53:06Z is after 2020-05-03T16:38:01Z

How to solve it?

Easy, just renew your certificates. But first, it's a good idea to check expiration time of current installed certificates:

boris@ubuntu:~$ sudo microk8s.refresh-certs -c
The CA certificate will expire in 0 days.

Ok, we're a but out-of-date, let's renew them:

boris@ubuntu:~$ sudo microk8s.refresh-certs -i
Backing up certificates under /var/snap/microk8s/1385/var/log/ca-backup/
Creating new certificates
Signature ok
subject=/C=GB/ST=Canonical/L=Canonical/O=Canonical/OU=Canonical/CN=127.0.0.1
Getting CA Private Key
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
1
Creating new kubeconfig file
Stopped.
Started.

The CA certificates have been replaced. Kubernetes will restart the pods of your workloads.
Any worker nodes you may have in your cluster need to be removed and re-joined to become aware of the new CA.

Posted on by:

boris profile

Boris Quiroz

@boris

Senior Systems Engineer (bq_ @ irc.freenode)

Discussion

markdown guide