SSL Certificate Expired on controller
search cancel

SSL Certificate Expired on controller

book

Article ID: 321758

calendar_today

Updated On:

Products

VMware Integrated OpenStack

Issue/Introduction

Symptoms:
  • Expired cert is the server cert used by kubelet to provide https service on port 10250


Environment

7.x

Cause

  • The certificate is located at /var/lib/kubelet/pki/kubelet.crt
  • The file has one self-signed CA cert and one server cert signed by the CA, both are valid for one year.
[ /var/lib/kubelet/pki ]# openssl x509 -text -in kubelet.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=oms.vio.local-ca@1591484450
        Validity
            Not Before: Jun 6 22:00:49 2020 GMT
            Not After : Jun 6 22:00:49 2021 GMT
        Subject: CN=oms.vio.local@1591484450
        Subject Public Key Info:
...
 
  • The kubelet service on port 10250 is always served with a self-signed cert and not K8s CA signed cert.

Resolution

On each k8s node (vio-manager and controllers), run the following:

  1. rm /var/lib/kubelet/pki/kubelet.*
  2. systemctl restart kubelet


When kubelet restarts, if there is no kubelet.crt and kubelet.key present in /var/lib/kubelet/pki/, kubelet automatically generates a new key and certificate (valid for one year from today).

Additional Information

Impact/Risks:
  • This has not caused any functional impact.
  • It is safe to ignore this expired license.


Powered by Wolken Software