Brandon Harper
Jun 23, 2021

Kubernetes TLS Certificates Expired? Here's what you do now.

Kubernetes certificates expire after one year. When that happens, you can no longer communicate with or control the cluster. Here's how to resolve the issue in minutes.

TLS certificates are a requirement for Kubernetes clusters to work. When first configured, Kubernetes creates a set of certificates that help creates secure the cluster and allow for trust between workloads. Nodes connect to one another and to the Kubernetes control plane API through via an SSL tunnel that is secured by the TLS certificates. By default, these certificates expire a year from the day of creation, and when they do, you may be faced with an error message similar to this:

[authentication.go:64] Unable to authenticate the request due to an error: 
[x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid


The first time this happens can be disconcerting, as it becomes impossible to interact with the Kubernetes API using kubectl and services such as kubelet may fail. Here is what you do when your Kubernetes certificates expire.

Step 1: Renew the certificates

If the certificates have expired, the first thing you need to do is to renew them. kubeadm can be used to create new API server certificates using the kubeadm alpha certs tools.

Log into the Kubernetes primary control-plane node and use the following kubeadm command:

$ kubeadm alpha certs renew all


This command will renew the certificates in the Kubernetes API, Kubelet, etcd nodes, and configurations.

Step 2. Manage the new configuration

The second step is to copy the new configuration with the renewed certificate to the Kubernetes configuration directory. This will allow for kubectl and other client tools which use the certificates for encryption and authentication to connect to the API again:

$ cd ~/.kube

# Archive the old config file containing the out of date certificates
$ mv config conf.archive.2021

# Copy the new configuration file created using kubeadm
$ cp /etc/kubernetes/admin.conf config

# apply permissions to your current admin user and group
$ sudo chown $(id -u):$(id -g) config



The Kubernetes certificates have been renewed, the new configuration is available for kubectl and client tools, and your cluster should be ready for another year!

Brandon Harper Jun 23, 2021
More Articles by Brandon Harper


Unable to find related content


Unable to retrieve data due to an error
No results found
Back to All Comments