Troubleshooting
Problem
We are having an issue for a particular use case with helm and it is complaining about the apiserver certificate. It looks like this cert is generated by inception. Are there instructions on how to update the SAN for the Kubernetes apiserver certificate?
Resolving The Problem
Note: The customer should try it out on their dev/test system before implementing it on the production environment
You have to update the server certificates in all master nodes
1) Back up both server.cert and server.key files into a different directory:
cp /etc/cfc/conf/server.cert <backup_dir>/server.cert.bkp
cp /etc/cfc/conf/server.key <backup_dir>/server.key.bkp
2) Download the easy-rsa tar file to be used for generating the new certificates
curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3
./easyrsa init-pki
3) Since we are not generating new CA signed certs we need to follow some additional steps here:
cd pki
mkdir issued
mkdir certs_by_serial
touch index.txt
echo 01 > serial
cd ..
4) Copy default CA into 'pki' directory
cp /etc/cfc/conf/ca.crt pki/ca.crt
cp /etc/cfc/conf/ca.key pki/private/ca.key
5) Run this command to generate new server certificate and key
./easyrsa --subject-alt-name="IP:${MASTER_IP},"\
"IP:${MASTER_CLUSTER_IP},"\
"DNS:kubernetes,"\
"DNS:kubernetes.default,"\
"DNS:kubernetes.default.svc,"\
"DNS:kubernetes.default.svc.cluster,"\
"DNS:kubernetes.default.svc.cluster.local," \
"DNS:<dns>" \ <------- Please make sure you have all default domain and IP in SAN list of your cert.
--days=730 \
build-server-full kubernetes-master nopass
6) Once the command runs successfully, overwrite already present certificates
cp -p pki/issued/kubernetes-master.crt /etc/cfc/conf/server.cert
cp -p pki/private/kubernetes-master.key /etc/cfc/conf/server.key
7) Wait for a couple of minutes, as the apiserver starts loading the new certificates and informs other necessary services as well. You can also monitor the apiserver logs,
kubectl logs k8s-master-<MASTER-IP> -c apiserver -n kube-system --tail=100
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"ARM Category":[{"code":"a8m500000008kEiAAI","label":"IBM Cloud Private->Troubleshooting and support"}],"ARM Case Number":"TS006766794","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 September 2021
UID
ibm16488467