Did you guys remove the table option from

rke2 certificate check --output table

on purpose in RKE 1.31? Or is this just an accident? It's wrong in the docs at https://docs.rke2.io/security/certificates

The table has slightly changed with more information but it wasn't removed.

1.31.4 here (on a Harvester cluster):

rke2 certificate check --output table
Incorrect Usage: flag provided but not defined: -output

NAME:
   rke2 certificate check - Check rke2 component certificates on disk

USAGE:
   rke2 certificate check [command options] [arguments...]

OPTIONS:
   --debug                     (logging) Turn on debug logs [$RKE2_DEBUG]
   --config FILE, -c FILE      (config) Load configuration from FILE (default: "/etc/rancher/rke2/config.yaml") [$RKE2_CONFIG_FILE]
   --data-dir value, -d value  (data) Folder to hold state (default: "/var/lib/rancher/rke2") [$RKE2_DATA_DIR]
   --service value, -s value   List of services to manage certificates for. Options include (admin, api-server, controller-manager, scheduler, supervisor, rke2-controller, rke2-server, cloud-controller, etcd, auth-proxy, kubelet, kube-proxy)
   
FATA[0000] flag provided but not defined: -output

it was never broken. I suspect you’re using an older release that never had --output support. It was added fairly recently.

rke2 --version
rke2 version v1.31.4+rke2r1 (5142beec71f7a61804840df5b434c2fd7137ce82)
go version go1.22.9 X:boringcrypto

Older?

--output

flag was added in January https://github.com/k3s-io/k3s/pull/11485

Thanks. I thought is was there earlier.

Remember that we release patches on all supported minors simultaneously, same as Kubernetes project. So you can’t simply say “its in 1.30.x so it must be in 1.31.y”. You need to look at what month’s release cycle the patch versions correspond to.

OK. Now that this was sorted out (I never used this command, tbh, so I expected it to be there for longer), can you explain this:

INFO[0000] Checking certificates for kube-proxy
WARN[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=system:kube-proxy will expire within 90 days at 2025-08-14T09:30:49Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=rke2-client-ca@1723627849 is ok, expires at 2034-08-12T09:30:49Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2026-06-06T13:54:17Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1723627849 is ok, expires at 2034-08-12T09:30:49Z

This controlplane node (rke2 v1.30.11) has 2(!) client-kube-proxy certificates. One will expire soon, the other one seems to have been rotated recently. Unfortunately rke2 seems to use the expired one. Restarting rke2-server does not fix this. This cluster was upgraded a couple of times (from 1.27 probably). If I install v1.30.11 directly, there is only one certifictate (the agent one). Any explanation? I see this also with other upgraded clusters... is this a ticking timebomb? What happens if the first one cert is expired?