Error: "certificate has expired or is not yet valid" when attempting to detach a cluster from vSphere Kubernetes Service
search cancel

Error: "certificate has expired or is not yet valid" when attempting to detach a cluster from vSphere Kubernetes Service

book

Article ID: 439521

calendar_today

Updated On:

Products

VCF Automation VMware vSphere Kubernetes Service

Issue/Introduction

  • After a certificate rotation, it is not possible to detach a cluster from vSphere Kubernetes Service (VKS).
  • In the VCF Automation UI under Manage & Govern > VCF Services > Kubernetes Management > Clusters, VKS clusters are showing a Detaching status.
  • The cluster-reaper-service in the VMSP prelude namespace will show logs such as:

2026-04-13T19:16:08.307069085Z stdout F {""component"":""reaper-job"",""level"":""error"",""msg"":""PollService: failed, service=data-protection, job=Cluster Job rid=(rid:c:ef1a360d-####-####-####-99837aa3c484:<cluster>-6w5yf:<cluster>-00), uid=(c:01KN7#################), force=true, step=PollServices, error=rpc error: code = Unavailable desc = connection error: desc = \""transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2026-04-13T19:15:00Z is after 2026-01-06T15:12:05Z\"""",""request-id"":""ef72c5af-####-####-####-1d4af36de18a"",""time"":""2026-04-13T19:16:08Z"",""trace-id"":""4b8cecbb-####-####-####-31b74e71d52d""}"

Environment

  • VCF Automation 9.0
  • VCF Automation 9.1
  • vSphere Kubernetes Service 9.0
  • vSphere Kubernetes Service 9.1

Cause

This issue occurs as the dataprotection-server does not automatically restart following a certificate rotation.

It continues to present the old certificate causing other services to fail to connect.

Resolution

To resolve the certificate issue, you will need to restart the dataprotection-server deployment on the VCF Automation (VCFA) Node.

  1. Open VCF Operations UI and navigate to Build > Lifecycle Components tab
  2. Click on the VCF Services Runtime link.
  3. Scroll down the page to the Nodes section.
  4. Identify a Control Plane node and take note of the IP address.
  5. SSH to this Control Plane node as vmware-system-user and provide the password for the account.
  6. Elevate to root for obtaining keys to the kubernetes layer of the VCF Service Runtime:
    1. sudo -i
    2. export KUBECONFIG=/etc/kubernetes/admin.conf
  7. kubectl rollout restart deployment -n prelude dataprotection-server
Powered by Wolken Software