Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fresh install giving certificate has expired or is not yet valid error #2112

Closed
csiemantel opened this issue Aug 11, 2020 · 4 comments
Closed

Fresh install giving certificate has expired or is not yet valid error #2112

csiemantel opened this issue Aug 11, 2020 · 4 comments

Comments

@csiemantel
Copy link

csiemantel commented Aug 11, 2020
edited by davidnuzik
Loading

Environmental Info:
K3s Version:
k3s version v1.18.6+k3s1 (6f56fa1)

Node(s) CPU architecture, OS, and Version:
Linux rancher-server-0 5.7.11-1-default #1 SMP Wed Jul 29 09:32:21 UTC 2020 (5015994) x86_64 x86_64 x86_64 GNU/Linux
Linux rancher-server-1 5.7.11-1-default #1 SMP Wed Jul 29 09:32:21 UTC 2020 (5015994) x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:
Two k3s nodes running on a Ubuntu 20.04 host

Describe the bug:
Fresh k3s install, getting error "Unable to connect to the server: x509: certificate has expired or is not yet valid" when executing command
kubectl --kubeconfig ~/.kube/config/k3s.yaml get pods --all-namespaces
on the host system

Steps To Reproduce:

  • Installed K3s: curl -sfL https://get.k3s.io | sh -s - server \ --datastore-endpoint="mysql://username:password@tcp(hostname:3306)/database-name" per the instructions here
  • Copied /etc/rancher/k3s/k3s.yaml from one of the nodes to host system (~/.kube/config)
  • Execute command kubectl --kubeconfig ~/.kube/config/k3s.yaml get pods --all-namespaces on the host

Expected behavior:
Get a valid kubectl response

Actual behavior:
Get an error: "Unable to connect to the server: x509: certificate has expired or is not yet valid"

Additional context / logs:
Running nginx loadbalancer on the host in a container as described here. And executing k3s kubectl get pods --all-namespaces on either node gives the correct response so k3s is up and running.
@brandond
Copy link
Contributor

brandond commented Aug 12, 2020
edited
Loading

Check the system time on both nodes, and the host you copied the kubeconfig file to. I suspect that there is some sort of time skew that has made it so that the cert is either not yet valid, or has already expired, according to the clock on your host that is experiencing the issue.

@csiemantel
Copy link
Author

date command for both nodes and host gives Wed 12 Aug 2020 10:10:xx AM EDT

@brandond
Copy link
Contributor

Did you remember to edit the server: address in the kubeconfig file after copying it over? By default it points at https://127.0.0.1:6443. You'll need to replace that with the address of one of your server nodes. If you haven't done this, then kubectl is talking to some other service on your host that happens to be listening on 6443 with an expired cert.

@csiemantel
Copy link
Author

Thank you, that works. I had replaced server: with the dns of the load balancer like the install instructions said to. Sounds like there's a problem with my load balancer config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandond @csiemantel