2

Issue type: Kubernetes on Docker Desktop stopped working due to expired kuber-apiserver certificates

OS Version/build: Windows 10 version - 1909 and OS Build - 18363

App version: Docker Desktop 3.03

Steps to reproduce:

  1. Install Docker Desktop
  2. Enable Kubernetes
  3. Change the Windows PC time to ahead by 1 year
  4. Kubernetes cluster will stop working saying the kube-apiserver certificates are expired
  5. The applications/workloads deployed on the Kubernetes cluster will also stop working.

As Kubernetes certificates are issued for 1 year; after the 1 year time period the certificates are expired and this will break Kubernetes.

certificate snapshot

Need help: Requesting Information on how to renew the kube-apiserver certificates without affecting the Kubernetes and the installed application

dock-dock
  • 21
  • 2
  • What exact error are you getting from logs ? – Malgorzata Mar 29 '21 at 15:59
  • when I run any kubectl command I get the following output: Unable to connect to the server: x509: certificate has expired or is not yet valid – dock-dock Mar 29 '21 at 17:14
  • Did you check https://stackoverflow.com/questions/48797261/how-to-fix-expired-client-cert-in-docker-machine https://stackoverflow.com/questions/35289802/docker-pull-error-x509-certificate-has-expired-or-is-not-yet-valid – Malgorzata Mar 30 '21 at 09:51
  • @Malgorzata Thank you for the pointer. But the above thread is about docker-machine. In my case the issue is kube-apiserver certificates which are issued by kubernetes. – dock-dock Mar 30 '21 at 10:48
  • " If you are running Docker on Windows Server, or Docker Desktop for Windows with Windows containers, the system default certificates are only used when no custom root certificates are configured." https://docs.docker.com/engine/security/certificates/#understand-the-configuration In releases I am not seeing version 3.03 can you upgrade docker-desktop version ? https://docs.docker.com/docker-for-windows/install/#automatic-updates – Malgorzata Apr 16 '21 at 16:37

1 Answers1

1

I also had the issue showing in the etcd logs:

{"level":"warn","ts":"2023-02-14T11:47:26.260Z","caller":"embed/config_logging.go:169","msg":"rejected connection","remote-addr":"192.168.65.4:34996","server-name":"","error":"tls: failed to verify client certificate: x509: certificate has expired or is not yet valid: current time 2023-02-14T11:47:26Z is after 2023-02-03T12:24:57Z"}

I found the answer for windows here: https://forums.docker.com/t/kubernetes-on-docker-desktop-fails-to-launch-after-kube-apiserver-certificate-expiry/106570/2

on Mac OS, the path is ~/Library/Containers/com.docker.docker. delete or backup the pki folder and restart docker. kubernetes should come back

m1schka
  • 957
  • 1
  • 9
  • 10