Fixing Certificate Expiration on k3s

Did you just log in to your k3s cluster and find a certificate has expired?

The Problem

When k3s/kubectl fails because a cert expired you might see an error like:

sudo systemctl status k3s

You get something like this:

[x509: certificate has expired or is not yet valid

Check certificate dates from your kubeconfig:

kubectl config view --minify --raw \
  | yq -r '.users[0].user."client-certificate-data"' \
  | base64 -d \
  | openssl x509 -noout -dates

With the result as:

notBefore=Nov 30 16:17:46 2024 GMT
notAfter=Dec 25 06:33:13 2025 GMT

The solution

Rotate certificates:

sudo k3s certificate rotate

Watch logs:

INFO[0000] Server detected, rotating agent and server certificates
INFO[0000] Rotating dynamic listener certificate
INFO[0000] Rotating certificates for cloud-controller
INFO[0000] Rotating certificates for k3s-controller
INFO[0000] Rotating certificates for api-server
INFO[0000] Rotating certificates for admin
INFO[0000] Rotating certificates for auth-proxy
INFO[0000] Rotating certificates for supervisor
INFO[0000] Rotating certificates for kube-proxy
INFO[0000] Rotating certificates for kubelet
INFO[0000] Rotating certificates for controller-manager
INFO[0000] Rotating certificates for etcd
INFO[0000] Rotating certificates for scheduler
INFO[0000] Successfully backed up certificates to /var/lib/rancher/k3s/server/tls-?????, please restart k3s server or agent to rotate certificates

Restart the server (and agents if present):

sudo systemctl restart k3s
# on agent nodes:
sudo systemctl restart k3s-agent

Then copy the updated config to current user:

sudo cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

If everything is ok, then you can check with kubectl :

kubectl cluster-info

with the result as:

Kubernetes control plane is running at https://127.0.0.1:6443
CoreDNS is running at https://127.0.0.1:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://127.0.0.1:6443/api/v1/namespaces/kube-system/services/https:metrics-server:https/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.