Renewing Expired K3S Certificate

· 286 words

By default TLS certificates in kubernetes has expiration of 1 year for the client/server, And once the certificate has expired the API server cant authenticate request.

Verify The Certificate Expiration

In other to verify the k3s is down because of the certificate, you can check the on the master-node/control-node.

sudo systemctl status k3s

Example of the Error Log:

Jan 13 10:15:19 sa-k8s-prod-master k3s[1788901]: E0113 10:15:19.774025 1788901 authentication.go:73] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2026-01-13T10:15:19+01:00 is after 2025-12-26T20:10:10Z, verifying certificate SN=2680174939717522757, SKID=, AKID=EF:0F:A4:61:2D:2D:2D:68:49:70:D0:46:17:E3:C5:40:55:C6:23:5C failed: x509: certificate has expired or is not yet valid: current time 2026-01-13T10:15:19+01:00 is after 2025-12-26T20:10:10Z]"

Steps To Renew k3s Certificate

Stop K3s Service

Stop the k3s service on the master node.

sudo systemctl stop k3s

Renew K3s Certificate

Now we need to regenerate the api server certificate.

sudo k3s certificate rotate

You should see this something like this:

root@sa-k8s-prod-master:~# sudo k3s certificate rotate
INFO[0000] Server detected, rotating server certificates
INFO[0000] Rotating certificates for admin service
INFO[0000] Rotating certificates for etcd service
INFO[0000] Rotating certificates for api-server service
INFO[0000] Rotating certificates for controller-manager service
INFO[0000] Rotating certificates for cloud-controller service
INFO[0000] Rotating certificates for scheduler service
INFO[0000] Rotating certificates for k3s-server service
INFO[0000] Rotating dynamic listener certificate
INFO[0000] Rotating certificates for k3s-controller service
INFO[0000] Rotating certificates for auth-proxy service
INFO[0000] Rotating certificates for kubelet service
INFO[0000] Rotating certificates for kube-proxy service
INFO[0000] Successfully backed up certificates for all services to path /var/lib/rancher/k3s/server/tls-1768298545, please restart k3s server or agent to rotate certificates

Start K3s Service

Start the k3s service on the master node.

sudo systemctl start k3s

Verify The Certificate Renewal

You can check if the certificate renewal works by either

sudo systemctl status k3s

OR

sudo k3s kubectl get nodes
Kubernetes

Comments: