问题描述:

[root@master .kube]# kubectl get nodes
The connection to the server 192.168.122.2:6443 was refused - did you specify the right host or port?

[root@master ~]# docker ps  |head -1 ; docker ps |grep api
CONTAINER ID   IMAGE                                                           COMMAND                  CREATED          STATUS          PORTS     NAMES
9425402ec49a   838d692cbe28                                                    "kube-apiserver --ad…"   16 seconds ago   Up 16 seconds             k8s_kube-apiserver_kube-apiserver-master_kube-system_29f37e829364bd5dd2a022f9cde4d40e_139
9c00a266f9b2   registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.5   "/pause"                 5 minutes ago    Up 5 minutes              k8s_POD_kube-apiserver-master_kube-system_29f37e829364bd5dd2a022f9cde4d40e_37
[root@master ~]#

[root@master ~]# docker logs 9425402ec49a
I0925 17:40:21.641822       1 server.go:553] external host was not specified, using 192.168.122.2
I0925 17:40:21.642866       1 server.go:161] Version: v1.22.0
I0925 17:40:22.208542       1 shared_informer.go:240] Waiting for caches to sync for node_authorizer
I0925 17:40:22.210936       1 plugins.go:158] Loaded 12 mutating admission controller(s) successfully in the following order: NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,RuntimeClass,DefaultIngressClass,MutatingAdmissionWebhook.
I0925 17:40:22.211062       1 plugins.go:161] Loaded 11 validating admission controller(s) successfully in the following order: LimitRanger,ServiceAccount,PodSecurity,Priority,PersistentVolumeClaimResize,RuntimeClass,CertificateApproval,CertificateSigning,CertificateSubjectRestriction,ValidatingAdmissionWebhook,ResourceQuota.
I0925 17:40:22.213863       1 plugins.go:158] Loaded 12 mutating admission controller(s) successfully in the following order: NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,RuntimeClass,DefaultIngressClass,MutatingAdmissionWebhook.
I0925 17:40:22.213897       1 plugins.go:161] Loaded 11 validating admission controller(s) successfully in the following order: LimitRanger,ServiceAccount,PodSecurity,Priority,PersistentVolumeClaimResize,RuntimeClass,CertificateApproval,CertificateSigning,CertificateSubjectRestriction,ValidatingAdmissionWebhook,ResourceQuota.
W0925 17:40:22.225185       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:22Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:23.205264       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:23Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:23.230706       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:23Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:24.211317       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:24Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:24.706423       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:24Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:25.543315       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:25Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:27.504461       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:27Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:27.615949       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:27Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:31.099569       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:31Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:32.038615       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:32Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:36.806572       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:36Z is after 2022-08-14T04:09:37Z". Reconnecting...
W0925 17:40:37.627922       1 clientconn.go:1326] [core] grpc: addrConn.createTransport failed to connect to {127.0.0.1:2379 127.0.0.1 <nil> 0 <nil>}. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-09-25T17:40:37Z is after 2022-08-14T04:09:37Z". Reconnecting...
Error: context deadline exceeded

解决方法:

If you are on K8s 1.17.9 or above, the following worked:

kubeadm alpha certs check-expiration; kubeadm alpha certs renew all
Recent versions do not require the "alpha tag" anymore. For these, just use this:

kubeadm certs check-expiration; kubeadm certs renew all

[root@master ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configurationCERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Aug 14, 2022 04:09 UTC   <invalid>                               no
apiserver                  Aug 14, 2022 04:09 UTC   <invalid>       ca                      no
apiserver-etcd-client      Aug 14, 2022 04:09 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Aug 14, 2022 04:09 UTC   <invalid>       ca                      no
controller-manager.conf    Aug 14, 2022 04:09 UTC   <invalid>                               no
etcd-healthcheck-client    Aug 14, 2022 04:09 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Aug 14, 2022 04:09 UTC   <invalid>       etcd-ca                 no
etcd-server                Aug 14, 2022 04:09 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Aug 14, 2022 04:09 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Aug 14, 2022 04:09 UTC   <invalid>                               no      CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 12, 2031 04:09 UTC   8y              no
etcd-ca                 Aug 12, 2031 04:09 UTC   8y              no
front-proxy-ca          Aug 12, 2031 04:09 UTC   8y              no

[root@master ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[renew] Error reading configuration from the Cluster. Falling back to default configurationcertificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewedDone renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
[root@master ~]#

then copy /etc/kubernetes/admin.conf to your ~/.kube/config

[root@master ~]# cp /etc/kubernetes/admin.conf ~/.kube/config
cp: overwrite ‘/root/.kube/config’? y
[root@master ~]#

In order for the cluster to actually reload the keys, after you received the following message:

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
reload the relevant services with:

[root@master ~]# kubectl -n kube-system delete pod -l 'component=kube-apiserver'
pod "kube-apiserver-master" deleted
[root@master ~]# kubectl -n kube-system delete pod -l 'component=kube-controller-manager'
pod "kube-controller-manager-master" deleted
[root@master ~]# kubectl -n kube-system delete pod -l 'component=kube-scheduler'
pod "kube-scheduler-master" deleted
[root@master ~]# kubectl -n kube-system delete pod -l 'component=etcd'
pod "etcd-master" deleted
[root@master ~]#

Issue resolved:

[root@master ~]# kubectl get nodes
NAME     STATUS   ROLES                  AGE    VERSION
master   Ready    control-plane,master   420d   v1.22.0
node1    Ready    <none>                 412d   v1.22.0
node2    Ready    <none>                 412d   v1.22.0
[root@master ~]# [root@master ~]# kubectl get pods --all-namespaces
NAMESPACE              NAME                                                              READY   STATUS             RESTARTS          AGE
default                nfs-client-provisioner-6cf7cdc4fd-98sqw                           1/1     Running            1 (60d ago)       76d
default                postgressqldb-78fbf89b68-bq8tp                                    0/1     ImagePullBackOff   199 (63d ago)     76d
default                sklmapp-875588558-g9lmj                                           0/1     CrashLoopBackOff   193 (9m17s ago)   76d
ibm-common-services    ibm-licensing-operator-85554b699d-t67c2                           1/1     Running            1 (60d ago)       72d
ibm-common-services    ibm-licensing-service-instance-6c56c44d78-d296g                   1/1     Running            1 (60d ago)       72d
kube-system            calico-kube-controllers-58497c65d5-xhfsf                          1/1     Running            396 (60d ago)     407d
kube-system            calico-node-cwqv4                                                 1/1     Running            52 (60d ago)      407d
kube-system            calico-node-fngr6                                                 1/1     Running            49 (60d ago)      400d
kube-system            calico-node-tv2zq                                                 1/1     Running            59 (60d ago)      400d

kube-api log:authentication handshake failed: x509: certificate has expired or is not yet valid相关推荐

  1. 单节点Rancher 2.5.1 证书过期报错 x509: certificate has expired or is not yet valid 解决方案

    前言 双十一刚过早上到公司去查看一下集群的负载情况,打开网址后直接访问被拒绝,吓坏我了以为整个集群崩了(集群跑了很多job),赶快登录阿里云控制台以及各个K8S 集群Master服务器输入命令kube ...

  2. docker报错 x509: certificate has expired or is not yet valid-小白实操记录

    问题 拉取镜像报错 x509: certificate has expired or is not yet valid 原因 没有进行安全设置: 情景1 打开或者直接创建daemon.json文件,一 ...

  3. CentOS下连VisualSVN服务器时报SSL handshake failed: SSL error: Key usage violation in certificate has been d

    CentOS/RHEL yum 默认安装的 subversion 是 1.6.11 版本,连VisualSVN服务器时或变更svn地址定位时会有"Key usage violation&qu ...

  4. kubectl get node运行时出现:Unable to connect to the server: x509: certificate signed by unknown authority

    kubectl get nodes运行时出现:Unable to connect to the server: x509: certificate signed by unknown authorit ...

  5. x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error“

    执行下面命令初始化k8s集群时 kubeadm init --pod-network-cidr 10.21.0.0/16 \--image-repository registry.cn-hangzho ...

  6. 【ubuntu】解决 Certificate verification failed: The certificate is NOT trusted

    目录 1.遇到问题 2.问题解决 1.遇到问题 Certificate verification failed: The certificate is NOT trusted. The certifi ...

  7. docker-compose部署的服务访问https报错:x509: certificate signed by unknown authority

    最近写了几个推特API的接口,在本机(mac)测试的时候好好的 部署到服务器上的时候发现不能用了 报错: {"code": 500,"msg": "e ...

  8. Certificate verification failed: The certificate is NOT trusted.解决方案

    我在linux上安装一个包的时候遇到了如下的错误: (base) cnptucs1@cnptucs1:~$ sudo apt-get install -y libssl-dev --fix-missi ...

  9. SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch问题解决

    今天把服务器上的nginx关闭再启动, 发现了如下问题: [root@PUS*-021 ssl.key]# nginx -c /opt/nginx-conf/poll.conf nginx: [eme ...

最新文章

  1. 【高端】几个关于SCSS中for循环的高级玩法
  2. 看完就明白锁系列之自旋锁
  3. @总结 - 6@ 后缀自动机
  4. 报表中利用隐藏列对扩展格显示值求和
  5. PAT B1007 素数对猜想 (20 分)
  6. Windows7 Search Federation功能解读
  7. 用filter求素数
  8. 百度SEO进云jys系统应用开发框架
  9. 脑波技术来袭,人类hold住吗?
  10. 一印度学生Asp.net源码分享讨论
  11. python精彩编程200例-200G的Python初高级教程+项目实战案例源码,让你做有钱途的人才...
  12. win10远程计算机证书错误,win10系统下出现Wi-Fi证书错误的四种解决方案
  13. 一图胜千言:用好图表,好好说话
  14. QT 操作 QLabel
  15. ALFA深度学习软件金属外观缺陷检测应用
  16. 2016款MACBOOK PRO触控条版 安装WIN10初体验 及 无奈退货记
  17. 接口测试 如何编写接口测试用例
  18. go和python优缺点_我为什么放弃了 Python ,选择了 Go?
  19. sybase监控执行sql(转自新浪)
  20. 【报表开发】:BI---新视界---请休假个人报表

热门文章

  1. Ant Design of Vue 表格使用 vue-draggable-resizable 封装表头问题汇总
  2. 2008年的各个节日
  3. 汇编与机器码对照(长期记录)
  4. 移动边缘计算意味着真正的5G时代已经来临
  5. FreeIPA+Gitlab实现用户管理
  6. Android内部存储与外部存储(私有目录与公共目录)图文详解
  7. 解决pod时报错“Authentication token is invalid or unverified. Either verify it with the email that…”问题
  8. 关于mac双系统安装SQL Server卡在starting server的解决办法
  9. 硬盘是计算机不可缺少的部件,2018年9月计算机等级考试一级试题及答案文件.doc...
  10. Linux在游戏界的口碑树立