0

needed hint to resolve etcd cert issue on two etcd server pods

I have 2(3) etcd server pods and these are reporting for 3rd pod that x.509 cert is valid for etc.test1.com and not for etc.test2.com

so, my assumption is, issue is etcd server pod 2 & 3 are somehow expecting old cert dns name and not new cert dns name value which is etc.test2.com>

this is causing the 3rd pod to never get accepted as a valid peer and pod never gets scheduled on node.

Any hint how can I reset the two PODS that are expecting old cert and start expecting new cert?

below is the error from etcd server pods that are running . 

rafthttp: health check for peer 44ffe8e24fa23c10 could not connect:         x509: certificate is valid for etcd-a.internal.test1.com, etcd-b.internal.test1.com, etcd-c.internal.test1.com, etcd-events-a.internal.test1.com, etcd-events-b.internal.test1.com, etcd-events-c.internal.test1.com, localhost, not etcd-b.internal.test2.com

Also, will cluster work on single etcd server pod or does it need to have 3?

  • You have created the cluster manually or you are running under a ready cluster provided by the cloud provider ? – Investigator Mar 23 '19 at 23:17
  • Connect to one controller node and issue the following command: sudo ETCDCTL_API=3 etcdctl member list \ --endpoints=https://127.0.0.1:2379 \ --cacert=/etc/etcd/ca.pem \ --cert=/etc/etcd/kubernetes.pem \ --key=/etc/etcd/kubernetes-key.pem – Investigator Mar 23 '19 at 23:19
  • I created it using kops tool and issue was that DNS records were somehow wrongly updated to wrong IP addresses. So, i switched them to right ones and then ETCDs starting talking to right peers and no TLS cert issue was observed. I also had to start the etcd pod using docker run. so this solved my issue. we can close question. –  Apr 16 '19 at 16:20

0 Answers0