0

Hi I am currently working on renewing my certificate on Kubernetes version 1.12.

The certificate expires after a month. Before the certificate expires We need to renew the certificate and apply it to all systems to make the service work.

Does anyone have any manuals or anything like this? The opinions of experts are also good.

Even if I search with Google, there is only certificate renewal for the latest version, and there is no information on applying the service after certificate renewal related to older versions such as 1.12.

Please help.

Here's how I installed it.

sudo apt-get update   && sudo apt-get install -qy docker.io
sudo apt-get update   && sudo apt-get install -y apt-transport-https   && curl -s 
https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb http://apt.kubernetes.io/ kubernetes-xenial main"   | sudo tee -a /etc/apt/sources.list.d/kubernetes.list   &&
sudo apt-get update
apt-get install kubelet=1.12.3-00 kubeadm=1.12.3-00 kubernetes-cni=0.6.0-00 keepalived haproxy

Here is some additional information. This is version information.

kubeadm version: &version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.3", GitCommit:"435f92c719f279a3a67808c80521ea17d5715c66", GitTreeState:"clean", BuildDate:"2018-11-26T12:54:02Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}

Here is some additional information. This is a command error.

kubeadm certs check-expiration
Error: unknown command "certs" for "kubeadm" Run 'kubeadm --help' for usage. error: unknown command "certs" for "kubeadm"
서학용
  • 1
  • 1
  • Hi, welcome to S.F. Be aware there is no such thing as "the certificate" -- there is a cluster CA, the ServiceAccount CA, front-proxy, etcd CA, and likely about 5 others, so you'll want to edit your question and be more specific about which one you are trying to fix. You'll also want to include what you have already tried to keep us from going over things you already know do or don't work. Good luck! – mdaniel Jan 27 '21 at 04:16
  • As was mention by mdaniel please provide more information. Also is it possible for you to use newer version of Kubernetes? Current version is 1.20 and you could use detailed docs about [kubeadm certs](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-certs/) – PjoterS Jan 27 '21 at 11:56
  • @mdaniel This is the only way we can check the certificate. cd /etc/kubernetes/pki; ls *.crt| while read line ; do a=$(openssl x509 -in $line -noout -dates|grep notA) ; echo $a $line ; done |sort -h notAfter=Jan 19 13:09:44 2031 GMT ca.crt notAfter=Jan 19 13:09:47 2031 GMT front-proxy-ca.crt notAfter=Jan 25 12:35:43 2022 GMT apiserver-etcd-client.crt notAfter=Jan 25 12:35:50 2022 GMT apiserver-kubelet-client.crt notAfter=Jan 25 12:35:52 2022 GMT apiserver.crt notAfter=Jan 25 12:35:53 2022 GMT front-proxy-client.crt – 서학용 Jan 27 '21 at 12:49
  • @PjoterS For us, upgrading is currently difficult in reality. In Kubernetes, the current version is low, so we almost have to reinstall, but with a new setting, the version is low and the target server is more than 100. – 서학용 Feb 02 '21 at 01:39

1 Answers1

2

Try running

kubeadm alpha certs check-expiration

Commands that are standardised in later versions might have been released as experimental sub commands in older versions of k8s; hence the "alpha" prefix.

If the above works you can then renew all certs using:

kubeadm alpha certs renew all

In newer versions of k8s, there is a mechanism to set up jobs that run periodically in order to automatically renew certificates. You would have to make do with doing this manually or scriptifying it with your current k8s version

hisdudeness
  • 121
  • 2