Unable to connect to the server_ x509_ certificate is valid for 问题解决
问题原因:
k8s的apiserver 需要暴露在公网给阿里云的云效托管使用,之前在部署K8S签发证书的时候,apiserver-advertise-address=172.16.10.185 写的是内网的地址,,默认情况下,kubernetes自建的CA会为apiserver签发一个证书,证书的默认可访问的是内网IP、kubernetes、kubernetes.default kubernetes.default.svc、kubernetes.default.svc.cluster.local,不包含设备的外网IP。所以直接通过admin.conf去访问kubernetes是不可能的。在使用映射后的公网地址访问时,报错Unable to connect to the server: x509: certificate is valid for XX.XX.XX.XX
解决方案:
列出所有被写在证书的地址列表:
cd /etc/kubernetes/pki
openssl x509 -noout -text -in apiserver.crt
[root@master pki]# openssl x509 -noout -text -in apiserver.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1783001947581901794 (0x18be7ed31772ebe2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Apr 30 06:31:34 2024 GMT
Not After : Apr 30 07:49:47 2025 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:4b:42:1a:2f:96:84:c2:c2:c0:5d:2d:b6:11:
10:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:F0:DC:B1:59:35:FE:D9:6A:B6:FC:D9:2C:6B:F9:09:46:C0:11:88:02
X509v3 Subject Alternative Name:
DNS: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:master, IP Address:10.96.0.1, IP Address:172.16.10.185
Signature Algorithm: sha256WithRSAEncryption
a1:a3:b0:41:97:cf:cd:4a:4f:45:16:6b:29:46:a9:f5:8b:ec:
a3:6a:af:45:ba:16:57:6d:ce:ea:85:c4:92:e0:82:c6:cf:5e:
d6:79:93:c8:ed:e4:3d:10:9f:34:a0:07:a4:90:2a:f9:bd:d3:
ba:ea:98:3d:4e:46:2d:e2:ba:28:da:98:36:a5:dd:57:85:4f:
0a:e3:fb:06:bc:19:c6:e4:63:83:a0:aa:74:7d:c4:b1:a6:6b:
1b:e5:fa:99:25:09:c2:2b:e4:b8:ad:f7:95:08:9e:d6:c6:9b:
14:97:a3:6d:a1:61:90:40:3f:53:26:c2:39:52:7a:9a:1c:46:
2a:9a:af:a6
X509v3 Subject Alternative Name
删除当前kubernetes集群下的apiserver的cert和key
rm /etc/kubernetes/pki/apiserver.*
生成新的apiserver的cert和key
kubeadm init phase certs apiserver --apiserver-advertise-address ${原来的advertise ip} \
--apiserver-cert-extra-sans ${master的外网ip}
:::tips
添加新的IP 和域名
--apiserver-cert-extra-sans 222.222.222.1 k8s.srebro.cn
:::
kubeadm init phase certs apiserver --apiserver-advertise-address 172.16.10.185 \
--apiserver-cert-extra-sans 222.222.222.1 k8s.srebro.cn
刷新admin.conf
kubeadm alpha certs renew admin.conf
重启apiserver(docker restart XX)
[root@master kubernetes]# docker ps | grep kube-apiserver
48d0dd6c9b37 2b5e9c96248f "kube-apiserver --ad…" 4 hours ago Up 4 hours k8s_kube-apiserver_kube-apiserver-master_kube-system_4a6f3f9b4b82ec73b37c8aea4a24e017_1
[root@master kubernetes]# docker restart 48d0dd6c9b37
- 感谢你赐予我前进的力量
-
微信 
支付宝
赞赏者名单
因为你们的支持让我意识到写文章的价值🙏
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 运维小弟
阅读建议
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果