更新k3s证书后集群使用正常，k3s服务一直提示证书过期

xueting · 2025 年6 月 25 日 09:16

环境信息:
K3s 版本: v1.27.3+k3s1

节点 CPU 架构、操作系统和版本：:
x86_64，CentOS7.6

集群配置:

1server.3agents

问题描述:

k3s证书还有1个月到期，进行了k3s-server和k3s-agent重启，重启后/var/lib/rancher/k3s/server/tls/下证书到期时间为1年后，集群使用正常。但是k3s-server一直提示证书过期

复现步骤:

重启流程：
1.cd /var/lib/rancher/k3s/server/ && mv tls tls_bak
2.kubectl delete secret k3s-serving -n kube-system
3.systemctl restart k3s

预期结果:

实际结果:
/var/lib/rancher/k3s/server/tls/client-admin.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/client-controller.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-cloud-controller.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-controller.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-kube-proxy.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-scheduler.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/client-supervisor.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/server/tls/request-header-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/server-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/server-ca.nochain.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
notAfter=Jun 14 13:17:22 2026 GMT

附加上下文/日志:

日志

Jun 25 16:12:02 k3s-master k3s[27592]: E0625 16:12:02.500427   27592 authentication.go:70] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2025-06-25T16:12:02+08:00 is after 2024-07-04T12:15:30Z, verifying certificate SN=3418460883981031841, SKID=, AKID=5E:B9:F3:BD:3A:D2:3A:B4:02:4C:43:0C:1D:0D:5C:40:46:63:D5:E4 failed: x509: certificate has expired or is not yet valid: current time 2025-06-25T16:12:02+08:00 is after 2024-07-04T12:15:30Z]

ksd · 2025 年6 月 26 日 07:26

你这种证书更新的方式不对吧，你为什么要把 tls 目录给 mv 了呢？这样 CA 证书也许就会变了

xueting · 2025 年6 月 27 日 07:18

CA证书没有变，还是之前的时间

xueting · 2025 年6 月 27 日 07:23

大佬这个证书过期报错，是某个证书没更新嘛，查看agent上的证书，过期时间都是正常的，/var/lib/rancher/k3s/agent/client-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/agent/client-k3s-controller.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/agent/client-kubelet.crt
notAfter=Jun 14 13:20:11 2026 GMT
/var/lib/rancher/k3s/agent/client-kube-proxy.crt
notAfter=Jun 14 13:17:22 2026 GMT
/var/lib/rancher/k3s/agent/server-ca.crt
notAfter=Jul 2 12:15:30 2033 GMT
/var/lib/rancher/k3s/agent/serving-kubelet.crt
notAfter=Jun 14 13:20:11 2026 GMT