环境信息:
K3s 版本:
k3s version v1.34.1+k3s1 (24fc436e)
go version go1.24.6
节点 CPU 架构、操作系统和版本::
Linux node-1 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
集群配置:
1 server
问题描述:
使用k3s server启动集群时,访问etcd报错 x509: certificate signed by unknown authority。
使用的证书都是正确的,是自签证书。在使用v1.21.12+k3s1版本时,使用相同的参数是能启动的。
复现步骤:
- 安装 K3s 的命令:
[root@node1 certs]# k3s server \
--bind-address=192.168.0.159 \
--datastore-endpoint=https://127.0.0.1:2379 \
--datastore-cafile=/home/data/certs/ca.cert \
--datastore-certfile=/home/data/certs/etcd.cert \
--datastore-keyfile=/home/data/certs/etcd.key \
--node-name=node-1 \
--data-dir=/home/data/k8s \
--token=f4261************be17ac20fa \
--kube-proxy-arg="proxy-mode=ipvs" \
--disable=traefik \
--disable-cloud-controller \
--flannel-backend=vxlan \
--disable=local-storage \
--docker
预期结果:
启动成功
实际结果:
启动失败
附加上下文/日志:
日志
INFO[0000] Starting k3s v1.34.1+k3s1 (24fc436e)
{"level":"warn","ts":"2025-10-01T22:50:48.169913+0800","logger":"etcd-client","caller":"v3@v3.6.4-k3s3/retry_interceptor.go:65","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc0010b94a0/127.0.0.1:2379","method":"/etcdserverpb.KV/Range","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority\""}
ERRO[0010] Failed to validate datastore connection: context deadline exceeded
FATA[0010] Error: preparing server: failed to bootstrap cluster data: context deadline exceeded
当我用curl指定相同证书时,是可以访问成功的。
日志
[root@node1 certs]# curl --cacert /home/data/certs/etcd.cert https://127.0.0.1:2379
404 page not found
[root@node1 certs]# curl https://127.0.0.1:2379
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.