Invalid x509 certificate for kubernetes master

One option is to tell kubectl that you don't want the certificate to be validated. Obviously this brings up security issues but I guess you are only testing so here you go:

kubectl --insecure-skip-tls-verify --context=employee-context get pods

The better option is to fix the certificate. Easiest if you reinitialize the cluster by running kubeadm reset on all nodes including the master and then do

kubeadm init --apiserver-cert-extra-sans=114.215.201.87

It's also possible to fix that certificate without wiping everything, but that's a bit more tricky. Execute something like this on the master as root:

rm /etc/kubernetes/pki/apiserver.*
kubeadm init phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=10.161.233.80,114.215.201.87
docker rm `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet

For kubeadm v1.13.3

rm /etc/kubernetes/pki/apiserver.*
kubeadm init phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=114.215.201.87
docker rm -f `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet

This command for new kubernetes >=1.8:

rm /etc/kubernetes/pki/apiserver.*
kubeadm alpha phase certs all --apiserver-advertise-address=0.0.0.0 --apiserver-cert-extra-sans=10.161.233.80,114.215.201.87
docker rm -f `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet

Also whould be better to add dns name into --apiserver-cert-extra-sans for avoid issues like this in next time.

Tags:

Kubernetes

Kubeadm

Recent Posts