启动集群时，访问etcd报错 x509: certificate signed by unknown authority

peng666 · 2025 年10 月 1 日 16:08

环境信息:
K3s 版本:
k3s version v1.34.1+k3s1 (24fc436e)
go version go1.24.6

节点 CPU 架构、操作系统和版本：:
Linux node-1 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

集群配置:
1 server

问题描述:
使用k3s server启动集群时，访问etcd报错 x509: certificate signed by unknown authority。
使用的证书都是正确的，是自签证书。在使用v1.21.12+k3s1版本时，使用相同的参数是能启动的。

复现步骤:

安装 K3s 的命令:

[root@node1 certs]# k3s server \
          --bind-address=192.168.0.159 \
          --datastore-endpoint=https://127.0.0.1:2379 \
          --datastore-cafile=/home/data/certs/ca.cert \
          --datastore-certfile=/home/data/certs/etcd.cert \
          --datastore-keyfile=/home/data/certs/etcd.key \
          --node-name=node-1 \
          --data-dir=/home/data/k8s \
          --token=f4261************be17ac20fa \
          --kube-proxy-arg="proxy-mode=ipvs" \
          --disable=traefik \
          --disable-cloud-controller \
          --flannel-backend=vxlan \
          --disable=local-storage \
          --docker

预期结果:
启动成功

实际结果:
启动失败

附加上下文/日志:

日志

INFO[0000] Starting k3s v1.34.1+k3s1 (24fc436e)
{"level":"warn","ts":"2025-10-01T22:50:48.169913+0800","logger":"etcd-client","caller":"v3@v3.6.4-k3s3/retry_interceptor.go:65","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0010b94a0/127.0.0.1:2379","method":"/etcdserverpb.KV/Range","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\""}
ERRO[0010] Failed to validate datastore connection: context deadline exceeded
FATA[0010] Error: preparing server: failed to bootstrap cluster data: context deadline exceeded

当我用curl指定相同证书时，是可以访问成功的。

日志

[root@node1 certs]# curl --cacert /home/data/certs/etcd.cert https://127.0.0.1:2379
404 page not found

[root@node1 certs]# curl https://127.0.0.1:2379
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

peng666 · 2025 年10 月 2 日 15:51

我尝试将datastore-cafile的值设置成与datastore-certfile一样的值，k3s server可以启动了。
但不确定是什么原因。

[root@node1 certs]# k3s server \
          --bind-address=192.168.0.159 \
          --datastore-endpoint=https://127.0.0.1:2379 \
          --datastore-cafile=/home/data/certs/etcd.cert \
          --datastore-certfile=/home/data/certs/etcd.cert \
          --datastore-keyfile=/home/data/certs/etcd.key \
          --node-name=node-1 \
          --data-dir=/home/data/k8s \
          --token=f4261************be17ac20fa \
          --kube-proxy-arg="proxy-mode=ipvs" \
          --disable=traefik \
          --disable-cloud-controller \
          --flannel-backend=vxlan \
          --disable=local-storage \
          --docker