This message was deleted.
# k3s
This message was deleted.
The cert is located in
if you want to go messing around with it, but I wouldn't recommend it
You can also use the
k3s certificate
subcommand to do the rotation on demand
Process is not documented (TODO for me), but you 1. stop the k3s server 2. run
k3s certificate rotate
3. start the K3s server
k3s certificate rotate specifically doesn’t rotate that one, that's why I’m here :)
literally removing that file makes k3s recreate it
Yeah I chatted with @fancy-guitar-13855 (he wrote the cert rotation command) and he mentioned that you can just delete that file and K3s will make a new one.
n I can't find the place in the code where it removes the client ca though
and in here it's stated that the client ca is indeed not rotated
I'm fine if I need to go thorugh the hoops to rotate it; I just want to know which those involve 🙂
So I got more info and we specifically don't rotate any ca* certs because its a Back-Compat thing with RKE1. When you removed the file, K3s regenerated a new one?
nope; it restored the old cert from someplace
I stopped k3s, rm-rf'ed the client-ca*, started it and got the same client-ca back
that's still confusing as to how that works
Okay I did some more digging. Currently, there is no easy way to regenerate the client or server -ca keys/crts. This is because we cache the keys in the etcd/db. They are static for the life of that cluster. If you kill the cluster and remove the files, on restart, k3s will simple pull down the cached version from the DB and regenerate them.
The only way to get new keys is to completely wipe out the K3s cluster...
k3s server --cluster-reset
or a but that defeats the point of trying to "rotate" the ca keys.
aha, I thought they'd be in etcd; that explains it.
a bit unfortunate; but yeah; wiped the cluster, learned my lesson. No more CA auth.