Hi Team,
My SSL certificate expired today, and I n...
# harvesterb
better-optician-77140
07/30/2025, 4:40 PMHi Team,
My SSL certificate expired today, and I now have a new certificate available. Could you please assist in replacing the existing SSL certificate or removing it from Harvester?
Currently, the Harvester UI is not accessible.
t
thousands-advantage-10804
07/30/2025, 4:59 PMare you using chrome?
b
better-optician-77140
07/30/2025, 5:04 PMim using firefox
t
thousands-advantage-10804
07/30/2025, 5:05 PMyou should be able to get by the outdated cert to get the to gui.
thousands-advantage-10804
07/30/2025, 5:06 PMdo you have access to a kubeconfig?
b
better-optician-77140
07/30/2025, 5:07 PMim able to access ssh
t
thousands-advantage-10804
07/30/2025, 5:07 PMok. let me see if I can find the settings from
kubectlthousands-advantage-10804
07/30/2025, 5:09 PMkubectl get settings ssl-certificatesthousands-advantage-10804
07/30/2025, 5:09 PMyou can edit it to update.
thousands-advantage-10804
07/30/2025, 5:09 PMor set it to
{}b
better-optician-77140
07/30/2025, 5:10 PMim getting this error
t
thousands-advantage-10804
07/30/2025, 5:10 PMsudo -ithousands-advantage-10804
07/30/2025, 5:10 PMrun those as root
b
better-optician-77140
07/30/2025, 5:11 PMim running from the root
t
thousands-advantage-10804
07/30/2025, 5:12 PMwhat version of harvester?
b
better-optician-77140
07/30/2025, 5:12 PM1.35V
t
thousands-advantage-10804
07/30/2025, 5:14 PModd. you should be able to use kubectl to see the “cluster”
b
better-optician-77140
07/30/2025, 5:32 PMimage.png
better-optician-77140
07/30/2025, 5:32 PMis there any service that i can restart?
t
thousands-advantage-10804
07/30/2025, 5:33 PMlooks like the whole node is having issues. looks like k8s is not working either. Is this a single node install or multi?
b
better-optician-77140
07/30/2025, 5:34 PMthis is multi (cluster)
t
thousands-advantage-10804
07/30/2025, 5:34 PMAH. more than 3 nodes?
thousands-advantage-10804
07/30/2025, 5:35 PMYou should be able to get to the gui on one of the master nodes.
b
better-optician-77140
07/30/2025, 5:35 PMi have 3 nodes
better-optician-77140
07/30/2025, 5:35 PMthis is second node
t
thousands-advantage-10804
07/30/2025, 5:36 PMok can you get to the gui of that node?
thousands-advantage-10804
07/30/2025, 5:36 PMgo to the node ip and not the mgnt one.
b
better-optician-77140
07/30/2025, 5:38 PMI'm unable to log in - 404 error is coming and vanishes in seconds
t
thousands-advantage-10804
07/30/2025, 5:39 PMssh into that node and run
kubectl get nodeb
better-optician-77140
07/30/2025, 5:40 PMimage.png
t
thousands-advantage-10804
07/30/2025, 5:41 PMOK. did you get a cert error from the gui? You can update it from the settings command. I would reboot node1 to see if it comes back. you may have multiple problems.
b
better-optician-77140
07/30/2025, 5:43 PMi have restarted one testing server, and it is working.
but some VMs are running, which i didn't take the backup
t
thousands-advantage-10804
07/30/2025, 5:43 PMk
b
better-optician-77140
07/30/2025, 5:44 PMis there any other way to restart the services?
t
thousands-advantage-10804
07/30/2025, 5:45 PMsystemctl status rke2-server.servicethousands-advantage-10804
07/30/2025, 5:45 PMjournalctl -xefu rke2-server.serviceb
better-optician-77140
07/30/2025, 5:49 PMlogs rke2.txt
t
thousands-advantage-10804
07/30/2025, 5:50 PMyup that is a cert issue. Update the cert on a good node and then reboot.
b
better-optician-77140
07/30/2025, 5:51 PMsure, let me try.
better-optician-77140
07/30/2025, 5:54 PM Copy code
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: <http://harvesterhci.io/v1beta1|harvesterhci.io/v1beta1>
default: '{}'
kind: Setting
metadata:
annotations:
<http://harvesterhci.io/hash|harvesterhci.io/hash>: d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
creationTimestamp: "2024-07-27T16:07:44Z"
generation: 2
name: ssl-certificates
resourceVersion: "6797"
uid: 14a38dbb-3e49-4972-a88b-9d9d12c67c69
status:
conditions:
- lastUpdateTime: "2024-07-27T16:07:44Z"
status: "False"
type: configured
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/tmp/kubectl-edit-3386199985.yaml" 20L, 641Bt
thousands-advantage-10804
07/30/2025, 5:55 PMcheck the third. wait did you ever assign a cert and key to the cluster from the gui?
b
better-optician-77140
07/30/2025, 5:56 PMyes, i have uploaded in the both in the Management IP- UI
t
thousands-advantage-10804
07/30/2025, 5:56 PMok, check the third.
b
better-optician-77140
07/30/2025, 5:57 PM Copy code
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: <http://harvesterhci.io/v1beta1|harvesterhci.io/v1beta1>
default: '{}'
kind: Setting
metadata:
annotations:
<http://harvesterhci.io/hash|harvesterhci.io/hash>: d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f
creationTimestamp: "2024-07-27T16:07:44Z"
generation: 2
name: ssl-certificates
resourceVersion: "6797"
uid: 14a38dbb-3e49-4972-a88b-9d9d12c67c69
status:
conditions:
- lastUpdateTime: "2024-07-27T16:07:44Z"
status: "False"
type: configured
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/tmp/kubectl-edit-1687201104.yaml" 20L, 641Bt
thousands-advantage-10804
07/30/2025, 6:04 PMCheck
kubectl get secret -n cattle-system tls-ingressb
better-optician-77140
07/30/2025, 6:05 PM Copy code
kubectl get secret -n cattle-system tls-ingress
E0730 18:05:20.770735 221053 memcache.go:265] couldn't get current server API group list: Get "<https://127.0.0.1:6443/api?timeout=32s>": dial tcp 127.0.0.1:6443: connect: connection refused
E0730 18:05:20.770899 221053 memcache.go:265] couldn't get current server API group list: Get "<https://127.0.0.1:6443/api?timeout=32s>": dial tcp 127.0.0.1:6443: connect: connection refused
E0730 18:05:20.772257 221053 memcache.go:265] couldn't get current server API group list: Get "<https://127.0.0.1:6443/api?timeout=32s>": dial tcp 127.0.0.1:6443: connect: connection refused
E0730 18:05:20.772723 221053 memcache.go:265] couldn't get current server API group list: Get "<https://127.0.0.1:6443/api?timeout=32s>": dial tcp 127.0.0.1:6443: connect: connection refused
E0730 18:05:20.773988 221053 memcache.go:265] couldn't get current server API group list: Get "<https://127.0.0.1:6443/api?timeout=32s>": dial tcp 127.0.0.1:6443: connect: connection refused
The connection to the server 127.0.0.1:6443 was refused - did you specify the right host or port?t
thousands-advantage-10804
07/30/2025, 6:06 PMfrom the second node.
b
better-optician-77140
07/30/2025, 6:06 PM Copy code
kubectl get secret -n cattle-system tls-ingress
NAME TYPE DATA AGE
tls-ingress Opaque 2 368dt
thousands-advantage-10804
07/30/2025, 6:06 PMI am trying to figure out if the it is RKE on the node or the cluster ingress certs that are causing the issue.
thousands-advantage-10804
07/30/2025, 6:06 PMread this thread : https://github.com/harvester/harvester/issues/3401
thousands-advantage-10804
07/30/2025, 6:09 PMthis feels like rke2 itself. see https://github.com/harvester/harvester/issues/3401#issuecomment-1414378861
b
better-optician-77140
07/30/2025, 6:13 PMi have restarted the rke2-server
better-optician-77140
07/30/2025, 6:13 PM Copy code
systemctl restart rke2-servert
thousands-advantage-10804
07/30/2025, 6:14 PMwhat is the status?
kubectl status rke2-serverb
better-optician-77140
07/30/2025, 6:15 PMits up and running & im able to access the UI as well
t
thousands-advantage-10804
07/30/2025, 6:15 PMok cool..
b
better-optician-77140
07/30/2025, 6:16 PMThank you so much for your help 🙂
t
thousands-advantage-10804
07/30/2025, 6:16 PMany time
👍 2
6 Views