Channels
#harvester
Title
# harvester
s
steep-teacher-68650
09/07/2022, 11:09 AMHi everyone, are there any docs on how to renew the self-signed harvester certificate for a single node harvester deployment? Unable to launch any VMs as the initial cert has expired.
The node in question is a harvester 1.0.2 upgraded to 1.0.3, TLS secrets are now 110d old:
Copy code
kubectl get secrets -A | grep tls
cattle-system cattle-webhook-ca <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
cattle-system cattle-webhook-tls <http://kubernetes.io/tls|kubernetes.io/tls> 2 106s
cattle-system rancher-webhook-tls <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
cattle-system serving-cert <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
cattle-system tls-ingress Opaque 2 110d
cattle-system tls-rancher <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
cattle-system tls-rancher-internal <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
cattle-system tls-rancher-internal-ca <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system harvester-webhook-ca <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system harvester-webhook-tls <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system kubevirt-ca <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system kubevirt-controller-certs <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system kubevirt-operator-certs <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system kubevirt-virt-api-certs <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system kubevirt-virt-handler-certs <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
harvester-system kubevirt-virt-handler-server-certs <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
kube-system rke2-serving <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d
kube-system serving-ca <http://kubernetes.io/tls|kubernetes.io/tls> 2 110d Copy code
kubectl -n cattle-system exec deploy/rancher -- bash -c "openssl s_client -showcerts -connect virt-api.harvester-system.svc:443 2>/dev/null| openssl x509 -noout -dates && echo current: $(date)"
notBefore=Sep 3 19:28:56 2022 GMT
notAfter=Sep 6 09:52:56 2022 GMT
current: Wed Sep 7 11:15:02 UTC 2022f
full-football-64901
09/08/2022, 3:25 AMIt might be a bug. in 1.0.3
That will be fixed in 1.1.0
1.1.0 is scheduled in the end of Oct.
👍 2
s
steep-teacher-68650
09/08/2022, 4:56 PMI decided to reprovision the node instead and currently importing the VM backups instead. Hopefully this is fixed in the next release 🙂
👍 2
13 Views