I’m running K3OS v0.10.3 and I fall into “x509: certificate has expired or is not yet valid”. This version runs a K3S v1.17.7+k3s1.
Looking around, it seems that the recommended solution is to upgrade to a +1.19.4.
But this version seems not officialy supported by K3OS. The most advanced version is v0.11.1 and it ships v1.18.9+k3s1.
Furthermore, I wish to avoid upgrading.
Is there any tips to renew certificates manually? Even spending time on advanced commands.
I found a solution.
The main process, as described in many threads, was to return back in time to retrieve access to cluster. In my situation, returning back was hard due to 3 components ensuring time-sync:
So:
service ntpd stopTimeUpdates=manual in /var/lib/connman/settings
Then, I was able to restart and retrieve a quite functioning cluster. Most of certs was correct, except the one for API. So we have to:
kubectl delete secret -n kube-system k3s-serving
service k3s-service stop
mv /var/lib/rancher/k3s/server/tls/dynamic-cert.json /var/lib/rancher/k3s/server/tls/dynamic-cert.json.bak
service k3s-service restart
And then, return in present and that’s all.
PS: all pods of the control plane needed to be manually restarted.