miaoyun+Rancher+K8S学习与实践


k3s+rke证书过期

<h1>一、RKE证书过期</h1> <p>官网:轮换证书 <a href="https://docs.rancher.cn/docs/rancher2/cluster-admin/certificate-rotation/_index/">https://docs.rancher.cn/docs/rancher2/cluster-admin/certificate-rotation/_index/</a></p> <p>Rancher-K8S 轮换证书 <a href="https://www.xtplayer.cn/rancher/rotate-cert/">https://www.xtplayer.cn/rancher/rotate-cert/</a> 证书过期导致Rancher无法打开UI的问题 <a href="https://www.mayanpeng.cn/archives/120.html">https://www.mayanpeng.cn/archives/120.html</a></p> <h1>二、K3S证书过期</h1> <p>超稳攻略!Rancher 2.3手动轮换证书,保护集群安全! <a href="https://www.cnblogs.com/rancherlabs/p/14070114.html">https://www.cnblogs.com/rancherlabs/p/14070114.html</a> k3s证书轮转验证 <a href="http://kingsd.top/2020/07/01/k3s-cert-rotary/">http://kingsd.top/2020/07/01/k3s-cert-rotary/</a></p> <p>k3s安装的rancher登录界面报错:</p> <pre><code class="language-bash">Get "https://10.43.0.1:443/apis/management.cattle.io/v3/settings/ui-pl?timeout=15m0s": x509: certificate has expired or is not yet valid: current time 2022-01-19T03:58:43Z is after 2021-12-19T13:52:44Z</code></pre> <p>K3S证书过期: 下面内容参考:<a href="http://kingsd.top/2020/07/01/k3s-cert-rotary/">http://kingsd.top/2020/07/01/k3s-cert-rotary/</a> 查看证书过期时间:</p> <pre><code class="language-bash">for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done</code></pre> <p>1、时间修改为 2022-01-09 22:12:00</p> <pre><code class="language-bash">/var/lib/rancher/k3s/server/tls/client-admin.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/client-auth-proxy.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/client-ca.crt notAfter=Dec 17 13:43:20 2030 GMT /var/lib/rancher/k3s/server/tls/client-cloud-controller.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/client-controller.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/client-k3s-controller.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/client-kube-proxy.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/client-scheduler.crt notAfter=Dec 19 13:52:37 2021 GMT /var/lib/rancher/k3s/server/tls/request-header-ca.crt notAfter=Dec 17 13:43:20 2030 GMT /var/lib/rancher/k3s/server/tls/server-ca.crt notAfter=Dec 17 13:43:20 2030 GMT /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt notAfter=Dec 19 13:52:37 2021 GMT</code></pre> <p>可以确认 k3s集群的过期时间为Dec 19 13:52:37 2021 GMT 解决办法:参考上面链接, 再补充一点, 在重启service k3s restart,登录rancher后,会有报错,提示已存在的名称,在命令下用crictl ps -a 命令查看,并删除状态为exted的pod(crictl rm cid),秒等片刻,即可正常启动rancher成功。</p>

页面列表

ITEM_HTML