vSphere with Tanzu supervisor certificates or spherelet certificates have expired or are about to expire.
You can use the following command while connected via SSH into either of the Supervisor Control Plane VMs.
# find / -type f \( -name "*.cert" -o -name "*.crt" \) -print 2>/dev/null | egrep -iv 'ca.crt$|ca-bundle.crt$|kubelet\/pods|var\/lib\/containerd|run\/containerd|backup' | xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
SSH into Supervisor Control Plane VM Instructions: Troubleshooting vSphere with Tanzu (TKGS) Supervisor Control Plane VM's (90194)
$ scp ./wcp_cert_manager.zip root@##.##.##.##:/root
Example Output:
The authenticity of host '##.##.##.## (##.##.##.##)' can't be established.
ECDSA key fingerprint is SHA256:<fingerprint>.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '##.##.##.##' (ECDSA) to the list of known hosts.
VMware vCenter Server 7.0.#.#####
Type: vCenter Server with an embedded Platform Services Controller
Password:
wcp_cert_manager.zip 100% 8473KB 8.3MB/s 00:00
# pwd
/root
# unzip wcp_cert_manager.zip
Archive: wcp_cert_manager.zip
inflating: certmgr
# ls -l
total 30956
-rwxr-xr-x 1 root root 23019418 MM DD HH:MM certmgr
-rw-r--r-- 1 root root 8675846 MM DD HH:MM wcp_cert_manager.zip
# ./certmgr certificates rotate
+------------------+------------------------------------------------------------------------------------------------------+-------+
| CONTROL PLANE IP | RESULT | ERROR |
+------------------+------------------------------------------------------------------------------------------------------+-------+
| ##.##.##.## | +---------------------------------------------------------------------------------+----------------+ | |
| | | TASKS | OVERALL STATUS | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | +--------------------------------+------------------------------------+-------+ | ok | | |
| | | | TASK | RESULT | ERROR | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | backup certificates | /root/backups-16739895901776834456 | | | | | |
| | | | rotate etcd server certificate | | | | | | |
| | | | rotate api server etcd client | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate etcd peer certificate | | | | | | |
| | | | rotate etcd health check | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate api server certificate | | | | | | |
| | | | rotate kubelet client api | | | | | | |
| | | | server certificate | | | | | | |
| | | | rotate front proxy certificate | | | | | | |
| | | | rotate controller-manager | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate scheduler certificate | | | | | | |
| | | | rotate scheduler extension | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate kubelet certificate | | | | | | |
| | | | restart ncp | NCP restart skipped: VDS setup | | | | | |
| | | | | detected. | | | | | |
| | | | rotate auth proxy certificate | | | | | | |
| | | | rotate management certificate | | | | | | |
| | | | rotate registry certificate | | | | | | |
| | | | rotate kubeadm admin | | | | | | |
| | | | certificate | | | | | | |
| | | | verify etcd health | | | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | |
| ##.##.##.## | +---------------------------------------------------------------------------------+----------------+ | |
| | | TASKS | OVERALL STATUS | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | +--------------------------------+------------------------------------+-------+ | ok | | |
| | | | TASK | RESULT | ERROR | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | backup certificates | /root/backups-16739895893751688144 | | | | | |
| | | | rotate etcd server certificate | | | | | | |
| | | | rotate api server etcd client | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate etcd peer certificate | | | | | | |
| | | | rotate etcd health check | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate api server certificate | | | | | | |
| | | | rotate kubelet client api | | | | | | |
| | | | server certificate | | | | | | |
| | | | rotate front proxy certificate | | | | | | |
| | | | rotate controller-manager | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate scheduler certificate | | | | | | |
| | | | rotate scheduler extension | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate kubelet certificate | | | | | | |
| | | | restart ncp | NCP restart skipped: VDS setup | | | | | |
| | | | | detected. | | | | | |
| | | | rotate auth proxy certificate | | | | | | |
| | | | rotate management certificate | | | | | | |
| | | | rotate registry certificate | | | | | | |
| | | | rotate kubeadm admin | | | | | | |
| | | | certificate | | | | | | |
| | | | verify etcd health | | | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | |
| ##.##.##.## | +--------------------------------------------------------------------------------+----------------+ | |
| | | TASKS | OVERALL STATUS | | |
| | +--------------------------------------------------------------------------------+----------------+ | |
| | | +--------------------------------+-----------------------------------+-------+ | ok | | |
| | | | TASK | RESULT | ERROR | | | | |
| | | +--------------------------------+-----------------------------------+-------+ | | | |
| | | | backup certificates | /root/backups-1673989589793637456 | | | | | |
| | | | rotate etcd server certificate | | | | | | |
| | | | rotate api server etcd client | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate etcd peer certificate | | | | | | |
| | | | rotate etcd health check | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate api server certificate | | | | | | |
| | | | rotate kubelet client api | | | | | | |
| | | | server certificate | | | | | | |
| | | | rotate front proxy certificate | | | | | | |
| | | | rotate controller-manager | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate scheduler certificate | | | | | | |
| | | | rotate scheduler extension | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate kubelet certificate | | | | | | |
| | | | restart ncp | NCP restart skipped: NCP | | | | | |
| | | | | restart only occurs on the | | | | | |
| | | | | leader. | | | | | |
| | | | rotate auth proxy certificate | | | | | | |
| | | | rotate management certificate | | | | | | |
| | | | rotate registry certificate | | | | | | |
| | | | rotate kubeadm admin | | | | | | |
| | | | certificate | | | | | | |
| | | | verify etcd health | | | | | | |
| | | +--------------------------------+-----------------------------------+-------+ | | | |
| | | | | | |
| | +--------------------------------------------------------------------------------+----------------+ | |
| | | |
+------------------+------------------------------------------------------------------------------------------------------+-------+
+-----------------------------------------------------+----------------+
| TASKS | OVERALL STATUS |
+-----------------------------------------------------+----------------+
| +--------------------------------+--------+-------+ | |
| | TASK | RESULT | ERROR | | |
| +--------------------------------+--------+-------+ | |
| | rotate spherelet certificates | | | | |
| | on ##.##.##.## (host-##) | | | | |
| | rotate spherelet certificates | | | | |
| | on ##.##.##.## (host-##) | | | | |
| | rotate spherelet certificates | | | | |
| | on ##.##.##.## (host-##) | | | | |
| +--------------------------------+--------+-------+ | |
| | |
+-----------------------------------------------------+----------------+
"Error running supervisor cert manager: error while running CPVM cmd: Error running cmd on (##.##.##.##): /tmp/certmgr certificates list --json, error: Process exited with status 127"