当我们遇到证书过期,或者遇到下面的情况的时候,可能需要手动更换一下证书了
Unable to connect to the server: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.0.2, not xxx
查看并备份当前证书
这里以 K3s 为例,原理和 K8s 完全相同
$ cd /var/lib/rancher/k3s/server/tls
$ openssl x509 -noout -text -in serving-kube-apiserver.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5436315453726641788 (0x4b71ac1a3257ce7c)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = k3s-server-ca@1640660897
Validity
Not Before: Dec 28 03:08:17 2021 GMT
Not After : Dec 28 03:08:17 2022 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:53:50:c3:aa:83:af:d5:0c:13:a2:b4:55:09:28:
de:c6:65:b3:62:e6:78:06:90:22:69:b3:42:b5:e2:
5f:ed:f2:7d:4c:bc:a0:bc:ea:b5:ee:82:5e:36:16:
65:ad:7e:03:e0:73:ef:f3:26:35:8f:2e:36:d8:cf:
6a:0e:70:f4:b8
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:CC:B5:B8:3B:36:D9:2D:F0:E1:E2:F0:01:C5:85:A2:69:ED:1C:19:BD
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default,
DNS:kubernetes.default.svc,
DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:k8smaster,
IP Address:127.0.0.1, IP Address:192.168.0.2, IP Address:10.43.0.1
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:78:49:86:38:cc:65:c2:0a:38:83:1f:98:84:1f:
50:85:4c:71:db:35:56:7c:af:44:3a:15:58:98:58:f9:e6:89:
02:21:00:fb:69:0b:66:a1:b8:c3:92:21:a6:23:cf:ed:19:03:
26:fc:f1:bd:b7:d9:3a:50:d8:4b:01:90:cf:c9:8a:8b:19
可以看到,我们这个证书的有效期为一年,同时 X509v3 Subject Alternative Name 这边,也有着对应的签名
cp serving-kube-apiserver.* ~/
生成新证书
$ mkdir -p /tmp/certs && cd /tmp/certs
$ cp ~/serving-kube-apiserver.key .
# 使用现有的key重新生成或者自己生成一个新的
# openssl genrsa -out apiserver.key 2048
$ openssl req -new -key serving-kube-apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr
# 修改授权对象,注意是IP:xxx
$ echo "subjectAltName = DNS:kubernetes, DNS:kubernetes.default,DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:k8smaster, IP:127.0.0.1, IP:192.168.0.2, IP:10.43.0.1, IP:xxx.xxx.xxx.xxx" > apiserver.ext
# 拿现有的CA证书重新生成CRT
$ openssl x509 -req -in apiserver.csr -CA /var/lib/rancher/k3s/server/tls/server-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/server-ca.key -CAcreateserial -out apiserver.crt -days 365 -extfile apiserver.ext
Signature ok
subject=CN = kube-apiserver
Getting CA Private Key
查看结果
$ openssl x509 -noout -text -in apiserver.crt
Certificate:
Data:
Version: 1 (0x0)
Serialopenssl x509 -noout -text -in apiserver.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:b5:93:9c:ce:b9:c2:25:0f:54:1d:99:91:f6:53:f8:75:54:a7:87
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = k3s-server-ca@1640660897
Validity
Not Before: Dec 28 07:40:34 2021 GMT
Not After : Dec 28 07:40:34 2022 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:53:50:c3:aa:83:af:d5:0c:13:a2:b4:55:09:28:
de:c6:65:b3:62:e6:78:06:90:22:69:b3:42:b5:e2:
5f:ed:f2:7d:4c:bc:a0:bc:ea:b5:ee:82:5e:36:16:
65:ad:7e:03:e0:73:ef:f3:26:35:8f:2e:36:d8:cf:
6a:0e:70:f4:b8
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:k8smaster, IP Address:127.0.0.1, IP Address:192.168.0.2, IP Address:10.43.0.1, IP Address:xxx.xxx.xxx.xxx
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:9e:55:a7:48:da:db:e1:c5:44:95:5f:e0:ed:
35:59:2d:fb:ea:72:1f:54:85:39:fb:ee:ee:d7:be:92:53:da:
95:02:21:00:8f:e9:5d:16:ad:22:34:dd:5c:8a:67:dd:79:71:
14:57:3d:5a:41:bc:83:61:24:0a:99:ea:87:e8:38:62:a7:3b Number:
16:b5:93:9c:ce:b9:c2:25:0f:54:1d:99:91:f6:53:f8:75:54:a7:86
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = k3s-server-ca@1640660897
Validity
Not Before: Dec 28 07:34:30 2021 GMT
Not After : Dec 28 07:34:30 2022 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:53:50:c3:aa:83:af:d5:0c:13:a2:b4:55:09:28:
de:c6:65:b3:62:e6:78:06:90:22:69:b3:42:b5:e2:
5f:ed:f2:7d:4c:bc:a0:bc:ea:b5:ee:82:5e:36:16:
65:ad:7e:03:e0:73:ef:f3:26:35:8f:2e:36:d8:cf:
6a:0e:70:f4:b8
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:13:64:55:bc:91:47:ce:c3:be:0e:1d:93:ac:7f:
7f:b8:70:57:ee:c2:76:5e:85:72:34:2f:2b:4b:5a:9e:ba:7b:
02:20:75:75:cd:86:c8:05:75:e0:df:c8:4c:30:6c:df:79:2d:
79:2d:48:86:f2:63:cd:2e:28:d5:67:46:12:ec:52:87
更新并重启服务
$ cp apiserver.crt /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
$ k3s certificate rotate
INFO[0000] Server detected, rotating server certificates
INFO[0000] Rotating certificates for admin service
INFO[0000] Rotating certificates for etcd service
INFO[0000] Rotating certificates for api-server service
INFO[0000] Rotating certificates for controller-manager service
INFO[0000] Rotating certificates for cloud-controller service
INFO[0000] Rotating certificates for scheduler service
INFO[0000] Rotating certificates for k3s-server service
INFO[0000] Rotating dynamic listener certificate
INFO[0000] Rotating certificates for k3s-controller service
INFO[0000] Rotating certificates for auth-proxy service
INFO[0000] Rotating certificates for kubelet service
INFO[0000] Rotating certificates for kube-proxy service
INFO[0000] Successfully backed up certificates for all services to path /var/lib/rancher/k3s/server/tls-1640678060, please restart k3s server or agent to rotate certificates
$ systemctl restart k3s.service