首页 > 其他分享 >kubernetes证书过期申请新的证书

kubernetes证书过期申请新的证书

时间:2023-07-18 11:47:25浏览次数:58  
标签:02 DNS kubernetes 证书 过期 ca etcd Address k8s

证书过期

[root@k8s-master ~]# kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid

查看证书的生效日期(发现已经过期)

[root@k8s-master1 ~]# echo | openssl s_client -showcerts -servername gnupg.org -connect localhost:6443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6728265650595807888 (0x5d5f99f61a39c290)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: Jun 14 01:10:20 2022 GMT
            Not After : Jun 14 06:55:56 2023 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b6:d7:40:53:d3:8d:b4:d3:50:96:86:eb:bd:7e:
                    87:46:0a:f0:73:92:91:52:b7:02:d8:f5:63:6e:ad:
                    ad:73:b8:16:75:f2:7c:96:86:b1:7f:c0:2b:78:d9:
                    81:b7:83:4f:64:ef:03:5e:df:62:ee:30:6d:09:0b:
                    fc:49:3f:8c:da:fe:d6:33:50:02:09:e1:65:1b:f1:
                    1f:99:2d:ea:ca:49:e0:07:76:87:93:df:8e:69:b7:
                    a5:62:55:2b:5f:bd:59:16:a8:bc:d2:b0:58:d7:f3:
                    7c:8a:2f:36:7b:0e:8e:6c:7b:7f:4c:be:28:61:c4:
                    3f:95:89:3b:1f:e6:63:ae:b3:c9:b6:ff:06:28:ec:
                    0b:89:fb:1d:80:35:ca:00:7b:fd:14:df:48:fb:06:
                    0d:1e:0f:f1:f4:a5:a7:7e:6d:a3:03:79:42:9f:c0:
                    86:c4:da:eb:36:6b:e8:c3:17:d7:b6:2d:4f:68:30:
                    c1:f3:fc:ed:c4:43:80:6e:9c:48:93:e7:82:53:71:
                    70:56:5b:79:3c:c1:84:1f:c9:86:39:c1:96:08:b5:
                    65:1d:06:15:60:0e:ad:f6:54:92:5f:70:96:36:f2:
                    a1:65:3c:5c:a1:6c:f8:27:bc:3f:09:c9:d3:d8:6a:
                    9b:6e:e5:f9:b5:c6:b6:1c:e9:37:9a:20:69:b3:a2:
                    a2:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:67:EF:FB:66:0A:1B:7E:C0:5E:EE:E8:CA:A9:95:A5:57:44:E1:87:6E

            X509v3 Subject Alternative Name: 
                DNS:k8s-etcd, DNS:k8s-etcd2, DNS:k8s-etcd3, DNS:k8s-etcd4, DNS:k8s-lb1, DNS:k8s-lb2, DNS:k8s-master1, DNS:k8s-master2, DNS:k8s-master3, DNS:k8s-node1, DNS:k8s-node3, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.101.17, IP Address:192.168.101.29, IP Address:192.168.101.18, IP Address:192.168.101.4, IP Address:192.168.101.5, IP Address:192.168.101.8, IP Address:192.168.101.13, IP Address:192.168.101.15, IP Address:192.168.101.19, IP Address:192.168.101.2, IP Address:192.168.101.25, IP Address:192.168.101.21, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         39:9f:54:7d:4e:ee:25:83:2a:4c:e8:71:9d:a7:ed:42:ff:21:
         c0:69:7e:ef:f2:7d:b9:c9:5f:65:07:2e:e4:02:d3:b1:f6:cb:
         61:e7:6f:21:0d:99:9f:a1:37:51:a2:1d:77:27:2b:ed:d6:2c:
         f2:b0:2f:c5:93:e5:0e:bf:0c:d7:2b:fd:1c:bd:a7:8a:aa:67:
         9c:56:2f:ea:3e:7b:80:f0:50:69:8f:af:66:03:f2:b6:22:f8:
         5f:f6:32:42:15:78:74:04:1a:54:b1:41:44:72:a0:ae:ae:40:
         c1:cc:db:26:75:b4:6b:e9:2f:d5:ae:1b:15:b8:0d:c4:3e:29:
         59:bc:8d:5e:f7:a5:97:2c:fe:81:89:6d:03:9f:42:5e:66:84:
         6b:ab:48:fa:c9:9c:e4:b8:f6:23:90:3e:7c:10:e3:58:b3:90:
         d3:54:d2:bf:25:f8:86:df:c6:34:e2:e0:30:4f:db:e9:c0:57:
         46:c7:63:77:51:dc:3b:e8:c9:cc:d1:8d:a5:c5:57:f9:ee:6f:
         eb:ad:96:41:c4:84:5b:ae:1c:44:1d:21:2c:a1:0a:25:49:67:
         fb:17:7a:c8:62:5e:c5:55:85:f4:06:43:dd:62:40:01:b1:82:
         19:2c:01:0b:1a:0a:eb:16:80:98:0d:ca:ea:a2:99:91:42:d7:
         77:48:9f:d2

重新申请证书

[root@k8s-master1 ~]#  kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

查看申请后证书状态

[root@k8s-master1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 02, 2024 02:48 UTC   364d            ca                      no      
apiserver                  Jul 02, 2024 02:48 UTC   364d            ca                      no      
apiserver-etcd-client      Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Jul 02, 2024 02:48 UTC   364d            ca                      no      
controller-manager.conf    Jul 02, 2024 02:48 UTC   364d            ca                      no      
etcd-healthcheck-client    Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
etcd-peer                  Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
etcd-server                Jul 02, 2024 02:48 UTC   364d            etcd-ca                 no      
front-proxy-client         Jul 02, 2024 02:48 UTC   364d            front-proxy-ca          no      
scheduler.conf             Jul 02, 2024 02:48 UTC   364d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 11, 2032 01:10 UTC   8y              no      
etcd-ca                 Jun 11, 2032 01:10 UTC   8y              no      
front-proxy-ca          Jun 11, 2032 01:10 UTC   8y              no      

复制证书到账号目录

root@k8s-master1 ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
cp: overwrite '/root/.kube/config'? y
[root@k8s-master1 ~]# 
[root@k8s-master1 ~]# kubectl get nodes
NAME          STATUS   ROLES           AGE    VERSION
k8s-master1   Ready    control-plane   384d   v1.24.1
k8s-master2   Ready    control-plane   384d   v1.24.1
k8s-master3   Ready    control-plane   383d   v1.24.1
k8s-node1     Ready    <none>          384d   v1.24.1
k8s-node3     Ready    <none>          384d   v1.24.1
k8s-node4     Ready    <none>          383d   v1.24.1
k8s-node6     Ready    <none>          335d   v1.24.3
node2         Ready    <none>          335d   v1.24.3

所有master节点重复重新申请证书操作 覆盖即可

标签:02,DNS,kubernetes,证书,过期,ca,etcd,Address,k8s
From: https://www.cnblogs.com/qianli666/p/17562443.html

相关文章

  • Navicat15删除注册表解决试用期过期的方法
    1、打开注册表2、删除注册表中内容2.1、找到(计算机\HKEY_CURRENT_USER\SOFTWARE\PremiumSoft)删除其中Registration15XCS和Update两个文件夹2.2、在最上方搜索框输入:HKEY_CURRENT_USER\Software\Classes\CLSID查看每一个文件夹,如果只包含一......
  • 通过kubectl连接Kubernetes集群
    1、安装kubectl本地客户端安装kubectl添加kubernete阿里云yum源#cat>/etc/yum.repos.d/kubernetes.repo<<EOF[kubernetes]name=Kubernetesbaseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64enabled=1gpgcheck=0repo_gpgcheck=0gp......
  • go中http设置忽略证书
    在Go中,可以通过设置http.Client的Transport属性来忽略证书验证。默认情况下,http.DefaultClient使用的是http.DefaultTransport,它对证书进行了验证。但是你可以创建一个自定义的Transport并将其用作客户端的Transport,以忽略证书验证。packagemainimport( "crypto/......
  • redis hash命令 过期
    Redishash命令过期的实现步骤为了教会你如何实现Redis中的hash命令过期功能,我将分为以下几个步骤来进行讲解。首先,我们需要创建一个Redis的连接,并确保你已经安装了Redis和相应的Redis客户端库。接下来,我们将创建一个hash并设置其过期时间。最后,我们将检查这个hash是否已经过期。......
  • redis 滑动过期
    Redis滑动过期在使用Redis时,经常需要设置过期时间来控制键值的生命周期。Redis提供了EXPIRE命令来设置键的过期时间,一旦过期时间到达,键就会被自动删除。然而,对于某些情况下,单纯的过期时间可能无法满足需求,因此Redis还提供了另一种机制——滑动过期(SlidingExpiration)。滑......
  • 服务器笔记之nginx安装SSL证书
    服务器笔记之安装SSL证书参考腾讯云服务器官方文档进行配置SSL证书Nginx服务器SSL证书安装部署-证书安装-文档中心-腾讯云(tencent.com)【一】前提条件已经注册并备案过的域名已获取证书【二】下载证书SSL证书Nginx服务器SSL证书安装部署-证书安装-文......
  • kubernetes之 dashboard展示
    第十一dashboard展示一直使用kubectl命令操作apiserver实现dashboard作为k8s核心附件存在的,官网部署:https://github.com/kubernetes/dashboard根据教程,还是安装老版本的镜像吧[root@k8s-masterdashboard]#kubectlapply-fhttps://raw.githubusercontent.com/kubernetes/dashb......
  • kubernetes之 RBAC
    第十一部分RBACrestful操作对象:许可授权都作用于角色,用户是什么角色,就拥有什么操作权限授权插件:Node、ABAC、RBAC、WebhookRBAC:Role-basedAC角色:Role许可:permission关联图示客户端访问示意图:role:operations:许可object:rolebinging:useraccountorserviceacco......
  • kubernetes之 认证和serviceaccount
    第十部分认证和serviceaccount前面讲的都是admin超级用户在操作k8s,Kubectl不能所有人都可以使用和访问。用户访问逻辑图,认证:第一种令牌认证token,最简单的认证,(只需要对方认证的共享密钥即可)服务器需要认可客户端的证书。授权:RBAC,基于角色的访问控制,目前用的比较多。    ......
  • kubernetes之 statefulset控制器
    第九部分statefulset控制器参考:https://blog.csdn.net/styshoo/article/details/73731993     https://blog.51cto.com/xuexinhuan/5424144即便是有状态管理,也需要使用脚本来运维。CoreOS:OperatorStatusfulSet:有状态Cattle,petPetSet->StatefulSeta、稳定......