k8s集群报错–etcd验证客户端证书失败，证书报错

---

命令须知

openssl命令

查看版本

openssl version

创建RSA Private Key

openssl genrsa -out private.key 2048

创建新的Private Key和CSR文件

openssl req -nodes -newkey rsa:2048 -keyout custom.key -out custom.csr

创建新的私钥和自签名证书

openssl req -x509 -sha512 -nodes -days 730 -newkey rsa:2048 -keyout custom.key -out custom.pem

它会询问详细信息，如国家代码、州和地区名称、组织名称、您的姓名、电子邮件地址等。输入所有细节后，它将生成两个文件，一个扩展名为PEM，另一个扩展名为key，分别代表自签名证书和私钥。在本例中，我们将有效期设置为730天，但如果您没有提到这一点，那么它将默认使用一个月的时间。您甚至可以根据自己的方便程度更改加密算法。在本例中，我们使用了SHA512算法。

---

验证CSR文件

openssl req -noout -text -in custom.csr

它将显示您在创建CSR文件时输入的详细信息，这些信息可用于验证是否将正确的CSR文件发送到正确的接收方。

验证私钥文件

openssl rsa -in private.key -check

它将验证和检查RSA私钥，如果它是Ok的，它将显示以下结果。

验证证书签发者授权

openssl x509 -in custom.pem -noout -issuer -issuer_hash

它将显示您在创建pem文件时输入的详细信息，可用于验证是否将正确的pem文件发送到正确的接收方

检查证书的哈希值

openssl x509 -noout -hash -in custom.pem

它将显示pem证书文件的哈希值

把PEM转换成DER格式

openssl x509 -outform der -in custom.pem -out custom.der

它将证书的扩展名从.pem转换为.der，并创建一个扩展名为.der的新文件。

检查pem文件证书的有效期

openssl x509 -noout -in custom.pem -date

以上就是OpenSSL生成SSL证书的详细教程，生成出来的是自签名SSL证书，只适用于测试或学习使用。如果想要给网站一份安全保障，安信SSL证书建议申请权威CA机构颁发的SSL证书。

解决报错的具体步骤

检查证书命令

kubeadm alpha certs check-expiration

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

W0307 09:12:56.979067   88490 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 22, 2023 08:19 UTC   <invalid>                               no
apiserver                  Feb 22, 2023 08:19 UTC   <invalid>       ca                      no
apiserver-etcd-client      Feb 22, 2023 08:19 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Feb 22, 2023 08:19 UTC   <invalid>       ca                      no
controller-manager.conf    Feb 22, 2023 08:19 UTC   <invalid>                               no
etcd-healthcheck-client    Feb 22, 2023 08:19 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Feb 22, 2023 08:19 UTC   <invalid>       etcd-ca                 no
etcd-server                Feb 22, 2023 08:19 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Feb 22, 2023 08:19 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Feb 22, 2023 08:19 UTC   <invalid>                               no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 20, 2032 08:19 UTC   8y              no
etcd-ca                 Feb 20, 2032 08:19 UTC   8y              no
front-proxy-ca          Feb 20, 2032 08:19 UTC   8y              no

证书更新命令

kubeadm alpha certs renew all

[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration

W0307 09:14:12.202017   89094 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

重启服务

证书更新成功以后，需要重启kube-apiserver, kube-controller-manager, kube-scheduler和etcd服务。

因为CRI使用的是docker，所以根据docker重启服务。

docker ps |grep -E 'k8s_kube-apiserver|k8s_kube-controller-manager|k8s_kube-scheduler|k8s_etcd_etcd'|sudo xargs docker restart

3944af5895a4
k8s_kube-apiserver_kube-apiserver-master1_kube-system_f88d02e868e3eb64cc3d3192d6df5919_187
9c4cca5bb162



k8s_kube-controller-manager_kube-controller-manager-master1_kube-system_5e05082b951b951f202780db112aa0c6_113
840e34bc5f87
k8s_kube-scheduler_kube-scheduler-master1_kube-system_a8caea92c80c24c844216eb1d68fe417_111
ddf8177dcf96
k8s_etcd_etcd-master1_kube-system_4c9951fe240640ddf0396bdf6e194d58_62
Error response from daemon: No such container: 7e28efa976bd
Error response from daemon: No such container: kube-apiserver --ad…
Error response from daemon: No such container: 33
Error response from daemon: No such container: seconds
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 32
Error response from daemon: No such container: seconds
Error response from daemon: No such container: da26705ccb4b
Error response from daemon: No such container: kube-controller-man…
Error response from daemon: No such container: 23
Error response from daemon: No such container: hours
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 23
Error response from daemon: No such container: hours
Error response from daemon: No such container: 76216c34ed0c
Error response from daemon: No such container: kube-scheduler --au…
Error response from daemon: No such container: 23
Error response from daemon: No such container: hours
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 23
Error response from daemon: No such container: hours
Error response from daemon: No such container: b2756210eeab
Error response from daemon: No such container: etcd --advertise-cl…
Error response from daemon: No such container: 23
Error response from daemon: No such container: hours
Error response from daemon: No such container: ago
Error response from daemon: No such container: Up
Error response from daemon: No such container: 23
Error response from daemon: No such container: hours

拷贝证书给当前用户

拷贝：

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config     

软连接：

　　mkdir -p $HOME/.kube

　　sudo ln -sf /etc/kubernetes/admin.conf ~/.kube/config

如果之前是软连接，证书更新以后就不需要操作，自动更新了

最后测试命令是否可用

kubectl get node

总结

证书路径

/etc/kubernetes/pki/

pod的日志

/var/log/pods/

或者

kubectl logs -f pod名 -n ns

创建组件的yaml文件

/etc/kubernetes/manifests