The CA certificate hash provided to kubeadm join does not match the actual cluster CA, preventing secure node authentication.
Kubeadm join uses a CA hash to verify it's joining the correct cluster (security measure). If the hash doesn't match the actual cluster CA, kubeadm refuses to join, protecting against man-in-the-middle attacks. This usually indicates the hash was calculated from the wrong certificate or the cluster CA was regenerated.
Get the correct hash:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'Copy the output for use in kubeadm join.
Ensure CA file is present:
ls -la /etc/kubernetes/pki/ca.crt
openssl x509 -in /etc/kubernetes/pki/ca.crt -text -noout | grep -A1 "Subject:"For testing (not production):
kubeadm join YOUR_CP_IP:6443 --token TOKEN --discovery-token-unsafe-skip-ca-verificationWarning: This bypasses security checks. Use only in trusted networks.
Run join with the recalculated hash:
kubeadm join YOUR_CP_IP:6443 --token TOKEN --discovery-token-ca-cert-hash sha256:CORRECT_HASHMonitor the join process:
kubectl get nodes -wOnce node reaches Ready status, it's fully joined.
Always use the correct CA hash in production—it's a security feature. If your cluster CA was regenerated, all future joins need the new hash. Document the CA hash in your infrastructure code. For automated environments, automate hash retrieval from the control plane. Never share CA hash publicly; distribute it securely to authorized node operators.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes