Cluster information:
Kubernetes version: 1.18
Cloud being used: (put bare-metal if not on a public cloud) Bare metal
Installation method: kubeadm
Host OS: OEL 7.8
CNI and version:
CRI and version:
Hi All,
I am trying to renew the certificate for the control plane component except ETCD. I have followed the below steps for the renewal of multi master HA, however i am getting the error below error due to unknown CA. Is Cert’s generated via Kubeadm not signed by a valid CA or am i missed any steps. I am able to do kubectl get nodes and status of my HA master is in read state
. I have copied ca.crt,ca.key,sa.pub & sa.key from primary master to the secondary masters. Any clue what could be wrong and it would be great help if you could correct me
Details
Master-1 API Server : 10.218.30.178 : 6444
Master-2 API Server : 10.218.30.181 : 6444
Master-3 API Server : 10.218.30.182 : 6444
VIP(Nginx+Keepalived) : 10.218.31.13 6443
Error from the Primary Master-1 API server : 10.218.30.178:6444
Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority, x509: certificate signed by unknown authority (possibly because of “crypto/rsa: verification error” while trying to verify candidate authority certificate “kubernetes”)]
I0711 10:22:33.405501 1 log.go:181] http: TLS handshake error from 10.218.30.178:49562: remote error: tls: bad certificate
echo | openssl s_client -showcerts -connect 10.218.31.13:6443 2>/dev/null | openssl x509 -noout -enddate
notAfter=Jul 10 06:23:07 2024 GMT
Steps executed on Primary Master-1 API server
kubeadm init phase certs all --apiserver-advertise-address 10.218.30.178 --apiserver-cert-extra-sans 10.218.31.13 --control-plane-endpoint 10.218.31.13
kubeadm init phase kubeconfig all --apiserver-advertise-address 10.218.30.178 --apiserver-bind-port 6443 --control-plane-endpoint 10.218.31.13
cp -f /etc/kubernetes/admin.conf ~/.kube/config
kubeadm init phase bootstrap-token
systemctl stop kubelet
rm -rf /var/lib/kubelet/pki/ /etc/kubernetes/kubelet.conf
kubeadm init phase kubeconfig kubelet --control-plane-endpoint 10.218.31.13
kubeadm init phase kubelet-start
systemctl start kubelet
Error from the Primary Master-2 API server : 10.218.30.181:6444
I0711 11:36:31.507028 1 log.go:181] http: TLS handshake error from 10.218.30.181:14588: remote error: tls: bad certificate
Steps executed on Primary Master-2 API server
cd /etc/kubernetes/pki
rm -rf *.crt *.key *.pub
cd /etc/kubernetes
rm -rf *.conf
kubeadm init phase certs all --apiserver-advertise-address 10.218.30.181 --apiserver-cert-extra-sans 10.218.31.13 --control-plane-endpoint 10.218.31.13
cp ca.crt ca.key sa.pub sa.key /etc/kubernetes/pki [Where ca.key and ca.crt is from the primary master 1]
kubeadm init phase kubeconfig all --apiserver-advertise-address 10.218.30.181 --apiserver-bind-port 6443 --control-plane-endpoint 10.218.31.13
kubeadm init phase bootstrap-token
systemctl stop kubelet
rm -rf /var/lib/kubelet/pki/ /etc/kubernetes/kubelet.conf
kubeadm init phase kubeconfig kubelet --control-plane-endpoint 10.218.31.13
kubeadm init phase kubelet-start
systemctl start kubelet
2b6752e94f953d1712b0ddf9550d279ce416b7f647b6032aa2f4c8365f9ca47c
kubeadm join 10.218.31.13:6443 --token f9wgl7.m1mwqe221gh2bgb7 --discovery-token-ca-cert-hash sha256:81350dac320eb96141e8b7559642009db225811b7aa6864ec14d62fbbb354c99 --control-plane --certificate-key 2b6752e94f953d1712b0ddf9550d279ce416b7f647b6032aa2f4c8365f9ca47c
kubeadm join 10.218.31.13:6443 --token u5jks5.9baayndz6yg2oj00 --discovery-token-ca-cert-hash sha256:81350dac320eb96141e8b7559642009db225811b7aa6864ec14d62fbbb354c99 --control-plane --certificate-key 504c39be7763400b24e11f45d3295c75508713c973e8e5eb0b3949eb81637bc0