Your kubectl cannot verify the API server certificate because it doesn't trust the signing authority. This is typically a CA certificate mismatch.
When kubectl connects to the API server, it validates the server's TLS certificate against a certificate authority (CA). If the CA certificate in kubeconfig doesn't match the CA that signed the server certificate, or if the CA certificate is missing/incorrect, the validation fails.
Get the actual CA from the server:
kubectl config view --flatten | grep certificate-authority-data | head -1 | awk '{print $2}' | base64 -d > /tmp/server-ca.crtOr directly from the server:
openssl s_client -connect YOUR_API_SERVER:6443 -showcerts < /dev/null | openssl x509 -out /tmp/server-ca.crtCheck what CA your kubeconfig is using:
kubectl config view --raw | grep certificate-authority-dataExtract and compare:
echo YOUR_CERT_DATA | base64 -d > /tmp/kubeconfig-ca.crt
openssl x509 -in /tmp/kubeconfig-ca.crt -text -nooutUpdate the CA reference in kubeconfig:
kubectl config set-cluster kubernetes --certificate-authority=/path/to/correct/ca.crtOr update manually in ~/.kube/config
For self-signed certificates, you can skip verification (not recommended for production):
kubectl config set-cluster kubernetes --insecure-skip-tls-verify=trueOr properly import the CA:
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crtVerify the fix:
kubectl version
kubectl get nodesBoth should now succeed without certificate errors.
Store CA certificates securely. For cluster bootstrapping, ensure CA distribution happens before kubeconfig generation. When rotating certificates in kubeadm, use: kubeadm certs renew all. Use certificate management tools (cert-manager) for automatic rotation in production. Never skip TLS verification in production—fix the certificate issue instead.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm