Unable to connect to the server: x509: certificate has expired or is not yet valid
Diagnosing The Problem
#: kubectl get pods -A Unable to connect to the server: x509: certificate has expired or is not yet valid
openssl s_client -connect localhost:6443 -showcerts < /dev/null 2>&1 | openssl x509 -noout -enddate
Resolving The Problem
As a precautionary measure backup the TLS dir.
sudo tar -czvf /var/lib/rancher/k3s/server/apphost-cert.tar.gz /var/lib/rancher/k3s/server/tls
Remove the following file.
sudo rm /var/lib/rancher/k3s/server/tls/dynamic-cert.json
Remove the cached certificate from a kubernetes secret.
sudo kubectl --insecure-skip-tls-verify=true delete secret -n kube-system k3s-serving
Restart the K3s service to rotate the certificates.
sudo systemctl restart k3s
Verify that kubectl commands function.
sudo kubectl get pods -A
Additionally, you can verify that all K3s internal certificates are no longer due to expire.
for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; do echo $i; openssl x509 -enddate -noout -in $i; done
curl -v -k https://localhost:6443 [https://localhost:6443] to confirm the new date of your app host cert