How to renew cert manually?

I’m running K3OS v0.10.3 and I fall into “x509: certificate has expired or is not yet valid”. This version runs a K3S v1.17.7+k3s1.

Looking around, it seems that the recommended solution is to upgrade to a +1.19.4.
But this version seems not officialy supported by K3OS. The most advanced version is v0.11.1 and it ships v1.18.9+k3s1.

Furthermore, I wish to avoid upgrading.

Is there any tips to renew certificates manually? Even spending time on advanced commands.

I found a solution.

The main process, as described in many threads, was to return back in time to retrieve access to cluster. In my situation, returning back was hard due to 3 components ensuring time-sync:

  • ntpd
  • connmand
  • vmtoolsd

So:

  • service ntpd stop
  • add TimeUpdates=manual in /var/lib/connman/settings
  • disable time synchronization in hypervisor

Then, I was able to restart and retrieve a quite functioning cluster. Most of certs was correct, except the one for API. So we have to:

kubectl delete secret -n kube-system k3s-serving
service k3s-service stop
mv /var/lib/rancher/k3s/server/tls/dynamic-cert.json /var/lib/rancher/k3s/server/tls/dynamic-cert.json.bak
service k3s-service restart

And then, return in present and that’s all.

PS: all pods of the control plane needed to be manually restarted.