This message was deleted.
# rke2a
adamant-kite-43734
01/07/2025, 4:21 PMThis message was deleted.
b
bland-article-62755
01/07/2025, 4:23 PMThe kubeconfigs I generate/use from Rancher all have a 30 day TTL. I always have to download a new one, or copy/paste in the new token from the UI.
o
orange-thailand-31683
01/07/2025, 4:24 PMi haven't had to update mine since we've installed it last year, hm
orange-thailand-31683
01/07/2025, 4:25 PMcluster is 334 days old, thought we had eclipsed the 1 year (365 day mark) so thought the certs were the issue
b
bland-article-62755
01/07/2025, 4:26 PMI know not all rke2 deployments are through Rancher, but that's the only way we've deployed it.
bland-article-62755
01/07/2025, 4:26 PMI think there was a new setting and default vs the enforced 30 day from when we deployed it, we just haven't changed it yet.
o
orange-thailand-31683
01/07/2025, 4:27 PMi gotcha.. ill try to copy over the kube config for the cluster, see if that changes anything
b
bland-article-62755
01/07/2025, 4:28 PMIf you took the config from the cluster, rotating the certs might have rotated the token it used as well.
o
orange-thailand-31683
01/07/2025, 4:29 PMi didnt previously; however, i just did and it worked
orange-thailand-31683
01/07/2025, 4:29 PMso thats good to know, and glad this worked
orange-thailand-31683
01/07/2025, 4:29 PMthanks for bringing up what you've done in the past, brought me to a solution!
orange-thailand-31683
01/07/2025, 4:30 PMnow if only I could get the ECK folks to be as helpful 🙂
c
creamy-pencil-82913
01/07/2025, 6:21 PMthe client cert embedded in your kubeconfig expired. The admin cert on the RKE2 server is valid for 365 days and is updated as necessary when RKE2 starts, so if you copy them off the server nodes you’ll need to refresh your copy periodically. but it sounds like you figured that out.
o
orange-thailand-31683
01/10/2025, 3:47 PM@creamy-pencil-82913 but it was at 344 days, so it threw me.. it worked out for sure. thanks dude
orange-thailand-31683
01/10/2025, 3:47 PMquick question - would this impact the nginx ingress controller? since the refresh it seems that all of the connections to the services are now connection refused
b
bland-article-62755
01/10/2025, 3:53 PMIt might. You could try triggering a new rollout
o
orange-thailand-31683
01/10/2025, 3:54 PMill try to roll out / restart the services and see if it shifts
orange-thailand-31683
01/13/2025, 5:54 PMhm, same results. our front end resides in the default namespace, ingress resource in default namespace, path and everything is unchanged.. service running, pod running.. nothing has changed aside from the cert changes. still not loading it. restarted the service/pods by completely removing them and then re-starting them in the cluster too
orange-thailand-31683
01/14/2025, 3:10 PMinteresting - we restarted the host yesterday, the ingress worked, everything connected... go back in to check today, and nada. back to connection refused
c
creamy-pencil-82913
01/14/2025, 5:47 PMthe only way it’d change is if someone tried to rotate or switch to unencrypted via the cli
o
orange-thailand-31683
01/14/2025, 5:48 PMwould firewalld have an impact if the rules we had in place to circumvent it messing with anything RKE2/k8s related magically came back into play?
orange-thailand-31683
01/14/2025, 5:49 PMand back when the cert rotation happened, we just followed the commands from the documentation:
Copy code
# Stop RKE2
systemctl stop rke2-server
# Rotate certificates
rke2 certificate rotate
# Start RKE2
systemctl start rke2-server8 Views