rancher的k3s證書(shū)過(guò)期

現(xiàn)象

web上rancher不能訪問(wèn),服務(wù)上看443端口沒(méi)了,6443端口仍然在。

rancher報(bào)錯(cuò)日志

rancher    | time="2023-01-05T01:56:07.241615176Z" level=info msg="Waiting for master node  startup: resource name may not be empty"
rancher    | 2023/01/05 01:56:07 [INFO] Waiting for server to become available: Get "https://127.0.0.1:6443/version?timeout=15m0s": x509: certificate has expired or is not yet valid: current time 2023-01-05T01:56:07Z is after 2022-12-28T10:04:18Z
rancher    | 2023-01-05 01:56:07.825328 I | http: TLS handshake error from 127.0.0.1:46358: remote error: tls: bad certificate
rancher    | I0105 01:56:08.154170      30 request.go:621] Throttling request took 1.036152126s, request: GET:https://127.0.0.1:6444/apis/scheduling.k8s.io/v1?timeout=32s
rancher    | time="2023-01-05T01:56:08.241957765Z" level=info msg="Waiting for master node  startup: resource name may not be empty"
rancher    | 2023-01-05 01:56:08.313648 I | http: TLS handshake error from 127.0.0.1:46360: remote error: tls: bad certificate
rancher    | 2023-01-05 01:56:08.314903 I | http: TLS handshake error from 127.0.0.1:46362: remote error: tls: bad certificate
rancher    | time="2023-01-05T01:56:08.314951029Z" level=error msg="server https://127.0.0.1:6443/cacerts is not trusted: Get https://127.0.0.1:6443/cacerts: x509: certificate has expired or is not yet valid"

分析

如上可見(jiàn),是rancher 的鏈接 6443端口因?yàn)樽C書(shū)問(wèn)題超時(shí)了 =>
對(duì)k3s或者k8s有了解的話,我們可以想到6443端口是rancher的k3s服務(wù),下面我們解決k3s證書(shū)到期的問(wèn)題。=>
但是,進(jìn)入容器我們可以看到,k3s并沒(méi)有啟動(dòng)起來(lái)。我們需要先將它啟動(dòng)起來(lái)。
綜上,我們提出如下解決思路:

解決思路

  • 修服務(wù)器日期到證書(shū)過(guò)期前,讓k3s正常啟動(dòng)
  • 更新k3s證書(shū)
  • 改回服務(wù)器時(shí)間
  • 重啟容器

解決

  • 關(guān)閉時(shí)間同步(如果有的話)
[root@rancher rancher-test]# service ntpd stop
Redirecting to /bin/systemctl stop ntpd.service
  • 修改服務(wù)器時(shí)間
[root@rancher rancher]# date -s 20221010
  • 重啟容器并進(jìn)入容器
[root@rancher rancher]# docker-compose restart
[root@rancher rancher]# docker ps
CONTAINER ID        IMAGE                                COMMAND                  CREATED                  STATUS                  PORTS               NAMES
d5ba9645f423        harbocto.boe.com.cn/public/rancher   "entrypoint.sh --no-…"   Less than a second ago   Up Less than a second                       rancher
[root@rancher rancher]# docker exec -it d5 bash
  • 刪除證書(shū)
root@rancher:/var/lib/rancher# kubectl --insecure-skip-tls-verify -n kube-system delete secrets k3s-serving
secret "k3s-serving" deleted
root@rancher:/var/lib/rancher# rm -f /var/lib/rancher/k3s/server/tls/dynamic-cert.json
  • 退出容器,改回正確時(shí)間
root@rancher:/var/lib/rancher# exit
exit
[root@rancher rancher]# ntpdate -u 10.10.239.65
 5 Jan 09:55:03 ntpdate[146258]: step time server 10.10.239.65 offset 6400014.715005 sec
  • 重啟服務(wù),重新生成證書(shū)
[root@rancher rancher]# docker-compose restart
Restarting rancher ... done
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容