Rancher证书到期过期

wangyunan · 2025 年7 月 15 日 10:55

rancher版本：v2.5.15
k8s版本：v1.20.15

有个rancher证书问题，openssl x509 -in /etc/kubernetes/ssl/kube-apiserver.pem -noout -dates 这条命令是检查证书过期时间的，请问是以哪个稳准呢？网上有的进入rancher容器内查看, /var/lib/rancher/k3s/server/tls, 有的又是查看宿主机下的 /etc/kubernetes/ssl/, 那么应该参照哪个？在容器外和容器里面查出来的证书到期时间不一样
容器内：
root@54665a9e3532:/var/lib/rancher/k3s/server/tls# for i in $(ls /var/lib/rancher/k3s/server/tls/*.crt); do echo $i; openssl x509 -enddate -noout -in $i; done
/var/lib/rancher/k3s/server/tls/client-admin.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/client-auth-proxy.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/client-ca.crt
notAfter=Dec 18 07:14:31 2034 GMT
/var/lib/rancher/k3s/server/tls/client-cloud-controller.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/client-controller.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/client-k3s-controller.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/client-kube-proxy.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/client-scheduler.crt
notAfter=Dec 20 07:14:31 2025 GMT
/var/lib/rancher/k3s/server/tls/request-header-ca.crt
notAfter=Dec 18 07:14:31 2034 GMT
/var/lib/rancher/k3s/server/tls/server-ca.crt
notAfter=Dec 18 07:14:31 2034 GMT
/var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
notAfter=Apr 28 07:34:22 2026 GMT

容器外：
[root@openeuler-test ssl]# for i in $(ls *.pem | grep -v key); do echo $i; openssl x509 -enddate -noout -in $i; done
kube-apiserver.pem
notAfter=Dec 18 07:37:50 2034 GMT
kube-apiserver-proxy-client.pem
notAfter=Dec 18 07:37:15 2034 GMT
kube-apiserver-requestheader-ca.pem
notAfter=Dec 18 07:37:13 2034 GMT
kube-ca.pem
notAfter=Dec 18 07:37:13 2034 GMT
kube-controller-manager.pem
notAfter=Dec 18 07:37:14 2034 GMT
kube-etcd-192-167-5-250.pem
notAfter=Dec 18 07:37:50 2034 GMT
kube-node.pem
notAfter=Dec 18 07:37:14 2034 GMT
kube-proxy.pem
notAfter=Dec 18 07:37:14 2034 GMT
kube-scheduler.pem
notAfter=Dec 18 07:37:14 2034 GMT
kube-service-account-token.pem
notAfter=Dec 18 07:37:14 2034 GMT

此外，我看官网说的2.2.x以上版本会自动更新证书，但我的有些集群碰到了证书过期问题，那一次不是全部过期，在创建pod的时候无法创建，提示证书到期，然后手动在ui页面上更新解决的