Minikube cert expiration

Kimi450 commented 1 year ago

Minikube certs will expire after a year, I dont really know how to fix it. I tried to look into it a while back but it didnt work. Basically after a year of usage, certs expire and you can no longer access teh cluster (data on the host should be fine, but app config will be lost as youll have to reinstall minikube and everything thats on top of it)

Kimi450 commented 1 year ago

List of all the certs fount linked to minikube found using the command

# get into minikube
minikube ssh

#find certs
find / -name *crt 2>/dev/null | grep minikube | while read line; do echo ------------- $line -------------; openssl x509 -enddate -noout -in $line; done

/var/lib/minikube/certs/etcd/healthcheck-client.crt
/var/lib/minikube/certs/etcd/ca.crt
/var/lib/minikube/certs/etcd/server.crt
/var/lib/minikube/certs/etcd/peer.crt
/var/lib/minikube/certs/apiserver-etcd-client.crt
/var/lib/minikube/certs/apiserver-kubelet-client.crt
/var/lib/minikube/certs/proxy-client.crt
/var/lib/minikube/certs/proxy-client-ca.crt
/var/lib/minikube/certs/front-proxy-client.crt
/var/lib/minikube/certs/apiserver.crt
/var/lib/minikube/certs/ca.crt
/var/lib/minikube/certs/front-proxy-ca.crt
/minikube-host/.minikube/profiles/minikube/proxy-client.crt
/minikube-host/.minikube/profiles/minikube/client.crt
/minikube-host/.minikube/profiles/minikube/apiserver.crt
/minikube-host/.minikube/proxy-client-ca.crt
/minikube-host/.minikube/ca.crt

The following are set for 10 years in the future:

/minikube-host/.minikube/ca.crt
/minikube-host/.minikube/proxy-client-ca.crt
/var/lib/minikube/certs/etcd/ca.crt
/var/lib/minikube/certs/proxy-client-ca.crt
/var/lib/minikube/certs/front-proxy-ca.crt
/var/lib/minikube/certs/ca.crt

The following are renewed auromtically and utilize the argument passed with --cert-expiration:

/var/lib/minikube/certs/proxy-client.crt
/var/lib/minikube/certs/apiserver.crt
/minikube-host/.minikube/profiles/minikube/proxy-client.crt
/minikube-host/.minikube/profiles/minikube/client.crt
/minikube-host/.minikube/profiles/minikube/apiserver.crt

The following might be the problematic ones as they dont utilize the argument passed with --cert-expiration:

/var/lib/minikube/certs/etcd/healthcheck-client.crt
/var/lib/minikube/certs/etcd/server.crt
/var/lib/minikube/certs/etcd/peer.crt
/var/lib/minikube/certs/apiserver-etcd-client.crt
/var/lib/minikube/certs/apiserver-kubelet-client.crt
/var/lib/minikube/certs/front-proxy-client.crt

Replication

install minikube

change system time

timedatectl
timedatectl set-ntp no

# some time in the future, more than the end date for the poblematic certs listed above
timedatectl set-time 2025-04-10

restart minikube
```
minikube stop
minikube start
```

Kimi450 commented 1 year ago

Related issues:

Kimi450 commented 1 year ago

Upstream issue is fixed, so I expect this issue to be fixed now too.

Kimi450 / ubuntu_server

Minikube cert expiration #4