When running kubectl, I get the error
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2021-10-05T11:59:14-04:00 is after 2021-09-29T19:21:40Z
So clearly it says the cert is expired. Only problem is I'm not sure which cert it is.
I've checked
- HAProxy (Rancher sits behind L7 HAProxy with LE cert)
- Certs in the secrets shown from
sudo k3s kubectl get secrets -n cattle-system - Certs in
/etc/kubernetes/sslon the K8s node
All are fine (not expired), as this particular rancher/k8s instance was brought up in June, so all the certs are only a few months old, and expire either 1 year or 10 years later.
So what cert is expired that needs to be updated?
Some information about my setup:
- Rancher 2.5.9 HA (K3s v1.21.1+k3s1) (single-node, Ubuntu 20.04)
- Kubernetes 1.20.9-rancher1-1 (single-node, Control plane/Worker/etcd, Ubuntu 20.04)
This is a community wiki answer posted for better visibility. Feel free to expand it.
Based on information from comments
Root cause:
One of the root certificates is invalid. This caused the Let's Encrypt certificate to be invalid.
Solution: