Renewing expired certificates

Use this procedure renew expired certificates for the Kubernetes cluster on all master and control-plane nodes.

Note: This procedure requires a reboot of the master nodes.
  1. Check the certificate validity on any master node. 
    [root@node1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0710 21:38:33.484779 1233162 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [10.233.0.3]

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jun 26, 2025 15:11 UTC 350d ca no
apiserver Jun 26, 2025 15:11 UTC 350d ca no
apiserver-kubelet-client Jun 26, 2025 15:11 UTC 350d ca no
controller-manager.conf Jun 26, 2025 15:11 UTC 350d ca no
front-proxy-client Jun 26, 2025 15:11 UTC 350d front-proxy-ca no
scheduler.conf Jun 26, 2025 15:11 UTC 350d ca no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 24, 2034 15:11 UTC 9y no
front-proxy-ca Jun 24, 2034 15:11 UTC 9y no
  2. Renew the expired certificates. 
    root@node1 ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0710 21:39:19.263073 1234844 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [10.233.0.3]

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
  3. Reboot one of the master nodes in the cluster. 
    [root@node1 ~]# init 6
  4. From the master node that was just rebooted, enter the following command to allow access to the pods in the cluster. 
    cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  5. Wait and ensure that all application pods are up.
  6. Check the validity date of the renewed certificates on the node. 
    [root@node1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0710 21:39:40.594093 1235763 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [10.233.0.3]

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 11, 2025 01:39 UTC 364d ca no
apiserver-kubelet-client Jul 11, 2025 01:39 UTC 364d ca no
controller-manager.conf Jul 11, 2025 01:39 UTC 364d ca no
front-proxy-client Jul 11, 2025 01:39 UTC 364d front-proxy-ca no
scheduler.conf Jul 11, 2025 01:39 UTC 364d ca no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jun 24, 2034 15:11 UTC 9y no
front-proxy-ca Jun 24, 2034 15:11 UTC 9y no
  7. Repeat steps 1 through 6 on the remaining master and control plane nodes.
  8. From the deployer VM, refresh the deployer configuration.
    Enter the following command
    /root/bin/fss_k8s_discover.sh discover
  9. Reboot the worker nodes.