# rke2


04/21/2023, 11:59 AM
How can i trigger a certificate rotation of kube-controller-manager and kube-scheduler certificates before they expire ? all the other rke2 certificates seem to have been rotated all nodes have been rebooted, but these 2 still have not rotated. rotate certificates in rancher gui, or rke2 command do not seem to do anything for these 2. this is a rke2 rancher installed kluster, running v1.22.7+rke2r2 kube-controller-manager/kube-controller-manager.crt: Not After : Apr 25 181506 2023 GMT kube-scheduler/kube-scheduler.crt: Not After : Apr 25 181506 2023 GMT


04/21/2023, 12:26 PM
Did you try going through your masters one at a time and doing a
systemctl restart rke2-server
? Maybe a stop, wait a minute, then start if restart doesn't work? Those are both static pods that are controlled by the rke2-server service, and in theory those get cycled when the service restarts (which a reboot should do too, but can't hurt to try explicitly). I know a node reboot will stop it and restart it, but sometimes a reboot ends up getting treated differently than a service restart.


04/21/2023, 12:33 PM
yes, i have tried that on all 3 controller nodes. since i did not know if it would happen when one restarted one, or when all was restarted. but when that did not work. I did a rolling reboot of all nodes. have also tried to restart rke2-server on one of the rebooted controller nodes. but still Not After : Apr 25 181506 2023 GMT


04/26/2023, 2:56 PM


05/03/2023, 2:39 PM
@gray-lawyer-73831 Thanks, but unfortunately that was one of the first things i tried. The problem was that that method did not rotate those 2 certificates. kubernetes have to manage them, but it does not. i deleted the cert and key files and restarted the containers and they make new self signed certs. with this method :