Rotate Kubernetes Certificates

During SevOne Data Insight upgrade, the k3s service automatically rotates certificates that are due to expire within 90 days. In the event that they expire before k3s is able to rotate them, you will need to rotate manually.

$ kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid

Backup TLS Directory

As a precautionary measure, backup the TLS directory.

$ sudo tar -czvf /var/lib/rancher/k3s/server/tls.tgz /var/lib/rancher/k3s/server/tls

Generate New Certificates

  1. Remove the cached certificate from a Kubernetes secret.
    $ sudo rm /var/lib/rancher/k3s/server/tls/dynamic-cert.json
  2. Restart k3s service to rotate the certificates.
    $ sudo systemctl restart k3s
    Note: You can now run Kubernetes commands. This will allow you to backup your all-important security keys in case you have not done so already.

Refresh Kubernetes Config

After rotating the Kubernetes certificates, the Kubernetes configuration file must be refreshed to apply the new certificates.

Refresh Kubernetes config file
for 'root' user

$ sudo cp /etc/rancher/k3s/k3s.yaml /root/.kube/config

for 'sevone' user

$ sudo cp /etc/rancher/k3s/k3s.yaml /home/sevone/.kube/config
$ sudo chown -R sevone:sevone /home/sevone/.kube

Verify Certificates

To verify the certificates, execute the following commands.

$ sudo -i

$ for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; \
do echo $i; openssl x509 -enddate -noout -in $i; \
echo "---"; done