Before you begin
Verify that the K3s certificates are expired by running any k3s kubectl CLI command.
The following outcome shows that the K3s certificates are expired:
$ k3s kubectl get pods -n efa
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2023-09-25T14:01:08+05:30 is after 2023-05-19T15:35:05Z
About this task
This procedure describes how to recover the expired K3s certificates.
Procedure
-
Restart the K3s service.
$ sudo systemctl restart k3s
Note
In an HA deployment, restart the service only on the active node. Do not
start the service on the statndby node.
-
Run the k3s kubectl get pods -n efa command to verify that
all PODs are in a running state.
$ k3s kubectl get pods -n efa
-
Run the curl -v -k command to verify that k3s service has
updated certificates.
$ curl -v -k https://<vip>:6443
Note
- From EFA 2.7.0, k3s is not deployed in a cluster mode. Ensure that
you copy the certificates to the peer nodes.
- In an HA deployment, copy the generated certificates to the standby
server.
-
Run the following command to change to the root user.
$ sudo su
For TPVM, change directory to /apps/efa/ and for server /opt/efa/
$ cd /apps/efa
$ export EFA_LOG_TO_STDOUT=1
$ source common.sh; initialize_deployment_global_env
$ copy_k3s_certs_to_peer
-
Run the following command to verify that the K3s certificates are not expired
anymore on both the nodes.
~# for i in `ls /apps/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
