当我们遇到证书过期,或者遇到下面的情况的时候,可能需要手动更换一下证书了

Unable to connect to the server: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 192.168.0.2, not xxx

查看并备份当前证书

这里以 K3s 为例,原理和 K8s 完全相同

$ cd /var/lib/rancher/k3s/server/tls
$ openssl x509 -noout -text -in serving-kube-apiserver.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5436315453726641788 (0x4b71ac1a3257ce7c)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = k3s-server-ca@1640660897
        Validity
            Not Before: Dec 28 03:08:17 2021 GMT
            Not After : Dec 28 03:08:17 2022 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:53:50:c3:aa:83:af:d5:0c:13:a2:b4:55:09:28:
                    de:c6:65:b3:62:e6:78:06:90:22:69:b3:42:b5:e2:
                    5f:ed:f2:7d:4c:bc:a0:bc:ea:b5:ee:82:5e:36:16:
                    65:ad:7e:03:e0:73:ef:f3:26:35:8f:2e:36:d8:cf:
                    6a:0e:70:f4:b8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                keyid:CC:B5:B8:3B:36:D9:2D:F0:E1:E2:F0:01:C5:85:A2:69:ED:1C:19:BD

            X509v3 Subject Alternative Name:
                DNS:kubernetes, DNS:kubernetes.default,
								DNS:kubernetes.default.svc, 
								DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:k8smaster, 
								IP Address:127.0.0.1, IP Address:192.168.0.2, IP Address:10.43.0.1
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:78:49:86:38:cc:65:c2:0a:38:83:1f:98:84:1f:
         50:85:4c:71:db:35:56:7c:af:44:3a:15:58:98:58:f9:e6:89:
         02:21:00:fb:69:0b:66:a1:b8:c3:92:21:a6:23:cf:ed:19:03:
         26:fc:f1:bd:b7:d9:3a:50:d8:4b:01:90:cf:c9:8a:8b:19

可以看到,我们这个证书的有效期为一年,同时 X509v3 Subject Alternative Name 这边,也有着对应的签名

cp serving-kube-apiserver.* ~/

生成新证书

$ mkdir -p /tmp/certs && cd /tmp/certs
$ cp ~/serving-kube-apiserver.key .
# 使用现有的key重新生成或者自己生成一个新的
# openssl genrsa -out apiserver.key 2048
$ openssl req -new -key serving-kube-apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr
# 修改授权对象,注意是IP:xxx
$ echo "subjectAltName = DNS:kubernetes, DNS:kubernetes.default,DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:k8smaster, IP:127.0.0.1, IP:192.168.0.2, IP:10.43.0.1, IP:xxx.xxx.xxx.xxx" > apiserver.ext
# 拿现有的CA证书重新生成CRT
$ openssl x509 -req -in apiserver.csr -CA /var/lib/rancher/k3s/server/tls/server-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/server-ca.key -CAcreateserial -out apiserver.crt -days 365 -extfile apiserver.ext
	Signature ok
	subject=CN = kube-apiserver
	Getting CA Private Key

查看结果

$ openssl x509 -noout -text -in apiserver.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serialopenssl x509 -noout -text -in apiserver.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            16:b5:93:9c:ce:b9:c2:25:0f:54:1d:99:91:f6:53:f8:75:54:a7:87
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = k3s-server-ca@1640660897
        Validity
            Not Before: Dec 28 07:40:34 2021 GMT
            Not After : Dec 28 07:40:34 2022 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:53:50:c3:aa:83:af:d5:0c:13:a2:b4:55:09:28:
                    de:c6:65:b3:62:e6:78:06:90:22:69:b3:42:b5:e2:
                    5f:ed:f2:7d:4c:bc:a0:bc:ea:b5:ee:82:5e:36:16:
                    65:ad:7e:03:e0:73:ef:f3:26:35:8f:2e:36:d8:cf:
                    6a:0e:70:f4:b8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:k8smaster, IP Address:127.0.0.1, IP Address:192.168.0.2, IP Address:10.43.0.1, IP Address:xxx.xxx.xxx.xxx
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:9e:55:a7:48:da:db:e1:c5:44:95:5f:e0:ed:
         35:59:2d:fb:ea:72:1f:54:85:39:fb:ee:ee:d7:be:92:53:da:
         95:02:21:00:8f:e9:5d:16:ad:22:34:dd:5c:8a:67:dd:79:71:
         14:57:3d:5a:41:bc:83:61:24:0a:99:ea:87:e8:38:62:a7:3b Number:
            16:b5:93:9c:ce:b9:c2:25:0f:54:1d:99:91:f6:53:f8:75:54:a7:86
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = k3s-server-ca@1640660897
        Validity
            Not Before: Dec 28 07:34:30 2021 GMT
            Not After : Dec 28 07:34:30 2022 GMT
        Subject: CN = kube-apiserver
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:53:50:c3:aa:83:af:d5:0c:13:a2:b4:55:09:28:
                    de:c6:65:b3:62:e6:78:06:90:22:69:b3:42:b5:e2:
                    5f:ed:f2:7d:4c:bc:a0:bc:ea:b5:ee:82:5e:36:16:
                    65:ad:7e:03:e0:73:ef:f3:26:35:8f:2e:36:d8:cf:
                    6a:0e:70:f4:b8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:13:64:55:bc:91:47:ce:c3:be:0e:1d:93:ac:7f:
         7f:b8:70:57:ee:c2:76:5e:85:72:34:2f:2b:4b:5a:9e:ba:7b:
         02:20:75:75:cd:86:c8:05:75:e0:df:c8:4c:30:6c:df:79:2d:
         79:2d:48:86:f2:63:cd:2e:28:d5:67:46:12:ec:52:87

更新并重启服务

$ cp apiserver.crt /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt
$ k3s certificate rotate
INFO[0000] Server detected, rotating server certificates
INFO[0000] Rotating certificates for admin service
INFO[0000] Rotating certificates for etcd service
INFO[0000] Rotating certificates for api-server service
INFO[0000] Rotating certificates for controller-manager service
INFO[0000] Rotating certificates for cloud-controller service
INFO[0000] Rotating certificates for scheduler service
INFO[0000] Rotating certificates for k3s-server service
INFO[0000] Rotating dynamic listener certificate
INFO[0000] Rotating certificates for k3s-controller service
INFO[0000] Rotating certificates for auth-proxy service
INFO[0000] Rotating certificates for kubelet service
INFO[0000] Rotating certificates for kube-proxy service
INFO[0000] Successfully backed up certificates for all services to path /var/lib/rancher/k3s/server/tls-1640678060, please restart k3s server or agent to rotate certificates
$ systemctl restart k3s.service