Kubernetes: Refresh Certs with Microk8s Cluster

All for one and one for all

Posted by admin on June 11, 2024

It's that time of year again where my homelab Kubernetes cluster (running microk8s) certificates expire.

I didn't even notice.

I happened to check one of my websites and notices nothing came back.

Early notification when there is a problem in my homelab is a discussion for another time.

Today, I want to run through what I did to get my system back up and running.

Symptom

My website are down, getting 404 not found or 503 service unavailable.

Troubleshooting

I first log into my kubernetes master node and check to see if my pods are running.

Note: that k is an alias for kubectl.

$ k get all
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?
The connection to the server 127.0.0.1:16443 was refused - did you specify the right host or port?

Oh boy, now what?

I have a few years experience running a kubernetes cluster and am familiar with expired certificates and what a pain it is to fix them.

I happen to be running a lightweight distribution of kubernetes called microk8s. I found their documentation helpful regarding certificates.

$ sudo microk8s refresh-certs --help
[sudo] password for :
Usage: microk8s refresh-certs [OPTIONS] [CA_DIR]

  Replace the CA certificates with the ca.crt and ca.key found in CA_DIR.
  Omit the CA_DIR argument and use the '--cert' flag to auto-generate a new CA
  or any other certificate.

Options:
  -c, --check  Check the expiration time of the installed certificates
  -e, --cert   The certificate to be autogenerated, must be one of ['ca.crt', 'server.crt', 'front-proxy-client.crt']
  -u, --undo   Revert the last refresh performed
  -h, --help       Show this message and exit.
$ sudo microk8s refresh-certs -c
The CA certificate will expire in 3276 days.
The server certificate will expire in 364 days.
The front proxy client certificate will expire in -9 days.

Whoops, I can't believe my sites have been down for 9 days.

Here's the fix to renew the expired certs:

First the server.crt.

$ sudo microk8s refresh-certs -e server.crt
Taking a backup of the current certificates under /var/snap/microk8s/6673/certs-backup/
Creating new certificates
Signature ok
subject=C = GB, ST = Canonical, L = Canonical, O = Canonical, OU = Canonical, CN = 127.0.0.1
Getting CA Private Key
Restarting service kubelite.
Restarting service cluster-agent.

Then the front-proxy-client.crt.

$ sudo microk8s refresh-certs -e front-proxy-client.crt
Taking a backup of the current certificates under /var/snap/microk8s/6673/certs-backup/
Creating new certificates
Signature ok
subject=CN = front-proxy-client
Getting CA Private Key
Restarting service kubelite.

Now, I can recheck to make sure everything looks good.

$ sudo microk8s refresh-certs -c
The CA certificate will expire in 3276 days.
The server certificate will expire in 364 days.
The front proxy client certificate will expire in 364 days.

Awesome! Now let's see if I can access my kubernetes components.

$ k get nodes
NAME            STATUS   ROLES    AGE    VERSION
kbndev01   Ready    <none>   366d   v1.26.15
kbndev02   Ready    <none>   366d   v1.26.15
kbmdev01   Ready    <none>   373d   v1.26.15

Excellent! Now I try to access one of my sites but still nothing is coming up.

More Solutions, More Problems

After several different troubleshooting steps of restarting services and rebooting all the nodes, I find this.

$ k get nodes
NAME            STATUS     ROLES    AGE    VERSION
kbmdev01   Ready      <none>   373d   v1.26.15
kbndev01   NotReady   <none>   366d   v1.26.15
kbndev02   NotReady   <none>   366d   v1.26.15

Why are these nodes not ready?

Do I need to refresh the certs on them as well?

The answer is yes.

I log into each node individually and run the refresh-certs commands to fix the certs.

Then after a few seconds, all the nodes are ready.

$ k get nodes
NAME            STATUS   ROLES    AGE    VERSION
kbmdev01   Ready    <none>   375d   v1.26.15
kbndev02   Ready    <none>   368d   v1.26.15
kbndev01   Ready    <none>   368d   v1.26.15

After that, all my sites were once again accessible.

Conclusion

If your kubernetes certificates are expired, especially when using the microk8s distribution, be sure to renew all the certs on all the nodes.

If you found value in this post, consider following me on X @davidpuplava for more valuable information about Game Dev, OrchardCore, C#/.NET and other topics.