Renewing certs including CA after expiration causes Unauthorized

I’m running kubernetes 1.16.9 with a single master and multiple workers.

Certificates expired and now I attempted to renew certs.
Simply running on master:

kubeadm alpha certs renew all

didn’t do anything, ca was already expired (my bad, non default 10 years validity).

So I deleted all pki and conf files inside /etc/kubernetes/pki.

Then I ran:

kubeadm init phase certs all
kubeadm init phase kubeconfig all

This worked and I can do use kubectl, but all nodes show “Unauthorized” on all requests on systemctl status kubelet

I thought this was related to tokens, so I deleted all “default” serviceaccounts in all namespaces so the tokens would be created again.

Current state of the cluster: all nodes on “NotReady” and all queries to the kube api return Unauthorized.

How can I get rid of this? Any fast workarounds? wasn’t kubeadm init supposed to take care of updating new configs?

I can’t afford to run kubeadm reset, I want to fix my cluster without having to resort to that.