DEV Community

loading...

Microk8s: Unable to connect to the server: x509: certificate has expired or is not yet valid

Boris Quiroz
Senior Systems Engineer (bq_ @ irc.freenode)
・1 min read

This is an error that you might see once every 10 years, so it's very likely you'll forget the solution.
The behavior is the following: When trying to do anything that interacts with API server you'll get the following error:

boris@ubuntu:~$ microk8s kubectl get all --all-namespaces
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2020-05-03T23:53:06Z is after 2020-05-03T16:38:01Z
Enter fullscreen mode Exit fullscreen mode

How to solve it?

Easy, just renew your certificates. But first, it's a good idea to check expiration time of current installed certificates:

boris@ubuntu:~$ sudo microk8s.refresh-certs -c
The CA certificate will expire in 0 days.
Enter fullscreen mode Exit fullscreen mode

Ok, we're a but out-of-date, let's renew them:

boris@ubuntu:~$ sudo microk8s.refresh-certs -i
Backing up certificates under /var/snap/microk8s/1385/var/log/ca-backup/
Creating new certificates
Signature ok
subject=/C=GB/ST=Canonical/L=Canonical/O=Canonical/OU=Canonical/CN=127.0.0.1
Getting CA Private Key
Signature ok
subject=/CN=front-proxy-client
Getting CA Private Key
1
Creating new kubeconfig file
Stopped.
Started.

The CA certificates have been replaced. Kubernetes will restart the pods of your workloads.
Any worker nodes you may have in your cluster need to be removed and re-joined to become aware of the new CA.
Enter fullscreen mode Exit fullscreen mode

Discussion (1)

Collapse
gidraff profile image
Raff

Thank you for sharing @boris .