环境信息:
K3s 版本: v1.27.3+k3s1
节点 CPU 架构、操作系统和版本::
x86_64,CentOS7.6
集群配置:
1server.3agents
问题描述:
k3s证书还有1个月到期,进行了k3s-server和k3s-agent重启,重启后/var/lib/rancher/k3s/server/tls/下证书到期时间为1年后,集群使用正常。但是k3s-server一直提示证书过期
复现步骤:
重启流程:
1.cd /var/lib/rancher/k3s/server/ && mv tls tls_bak
2.kubectl delete secret k3s-serving -n kube-system
3.systemctl restart k3s
预期结果:
实际结果:
/var/lib/rancher/k3s/server/tls/client-admin.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/client-controller.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-cloud-controller.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-controller.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-kube-proxy.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-scheduler.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-supervisor.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/request-header-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/server-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
notAfter=Jun 14 13:17:22 2026 GMT
附加上下文/日志:
日志
Jun 25 16:12:02 k3s-master k3s[27592]: E0625 16:12:02.500427 27592 authentication.go:70] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2025-06-25T16:12:02+08:00 is after 2024-07-04T12:15:30Z, verifying certificate SN=3418460883981031841, SKID=, AKID=5E:B9:F3:BD:3A:D2:3A:B4:02:4C:43:0C:1D:0D:5C:40:46:63:D5:E4 failed: x509: certificate has expired or is not yet valid: current time 2025-06-25T16:12:02+08:00 is after 2024-07-04T12:15:30Z]