You will see kube-apiserver logs similar to below snippet:

"Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2025-01-12T09:58:59Z is after 2024-09-11T11:16:05Z, verifying certificate SN=#####, SKID=, AKID=AA:AA:##:##:##:##:##:##:##:XX:YY:ZZ:...:## failed: x509: certificate has expired or is not yet valid: current time 2025-01-01T01:00:00Z is after 2024-09-11T11:16:05Z]"

TCA 2.3

VMware Tanzu Kubernetes Grid 1.x & 2.x

• Verify certificate status of kapp, kube-apiserver or kubelet
• To verify Kapp certificate, refer
  • kapp-controller Certificate Renewal
• To verify Kube-apiserver certificate:
  • Kube-Apiserver Certificate renewal
• To verify Kubelet certificate:
  • Kubelet Certificate Renewal
• If all the certificates are valid and not expired, and you still receive a log snippet stating "expired certificate" in api server log then some application certificate would have got expired which is utilizing api service.
• To fix, contact application owner to remove their expired certificate.