Kubernetes cluster certificates expire after 1 year by default, causing API server, kubelet, etcd, and other control plane components to become unavailable. The cluster becomes inaccessible when certificates expire. Fix by renewing certificates proactively or implementing automatic rotation.
Kubernetes uses TLS certificates for all control plane communication (API server, kubelet, etcd, webhooks). Certificates have expiration dates (default 1 year). When a certificate expires, the system rejects TLS connections with x509 errors. This affects entire cluster functionality.
For kubeadm clusters:
sudo kubeadm certs check-expirationShows all control plane certs with residual time. For manual check:
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep "Not After"
# Or just the date:
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -enddateRenew all control plane certificates:
sudo kubeadm certs renew allThen restart kubelet:
sudo systemctl restart kubelet
# OR (static pods):
kubectl delete pod -n kube-system <apiserver-pod>
kubectl delete pod -n kube-system <etcd-pod>Confirm new certificates are loaded:
sudo kubeadm certs check-expiration
# Should show ~1 year residual time for all certs
# Verify kubectl works
kubectl get nodesCluster should become accessible immediately.
Certificate appears "not yet valid" if system clock is behind:
timedatectl status
ntpstat
# Sync time if needed
sudo timedatectl set-ntp true
sudo ntpdate -s time.nist.govEnsure all nodes synchronized (within 1-2 seconds).
Kubelet auto-rotates 30 days before expiry. Approve CSRs:
kubectl get csr
kubectl certificate approve <csr-name>
# Check new cert is loaded
openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -enddateIf cluster completely down:
# 1. SSH to control plane node or boot recovery image
# 2. Mount root filesystem if needed
# 3. Renew certs
sudo kubeadm certs renew all
# 4. Copy renewed certs to all control plane nodes
sudo scp -r /etc/kubernetes/pki <node2>:/etc/kubernetes/
# 5. Restart kubelet on all nodes
sudo systemctl restart kubeletInstall cert-manager for automatic rotation:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml
# Create issuer for internal CA
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: kubernetes-ca
spec:
ca:
secretName: kubernetes-ca-secret
EOFcert-manager auto-renews certs 30 days before expiry.
Default kubeadm cert expiry is 1 year; plan renewal before expiry (ideally during regular upgrades). Cluster certificates include: API server, kubelet, etcd, controller-manager, scheduler, front-proxy-client. CA certificates (10-year TTL) rarely need renewal. Always have verified backup of /etc/kubernetes/pki before renewal. kubelet auto-rotation (enabled by default) requires kube-controller-manager CSR approval enabled.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes