[Release-1.29] - Incorrect warning message for expiring K3s CA certificates #10273

brandond · 2024-06-03T16:23:20Z

Backport fix for Incorrect warning message for expiring K3s CA certificates

Incorrect warning message for expiring K3s CA certificates #10270

VestigeJ · 2024-06-04T22:35:21Z

Reproduced VERSION=v1.29.5+k3s1
Validated against COMMIT=485eaf31b4fe6f8502a210eba6103c7d774c923d

$ sudo mkdir -p /var/lib/rancher/k3s/server/tls/etcd;
$ sudo openssl genrsa -out /var/lib/rancher/k3s/server/tls/root-ca.key 4096;
$ sudo openssl req -x509 -new -nodes -sha256 -days 360 -subj "/CN=k3s-root-ca@test" -key /var/lib/rancher/k3s/server/tls/root-ca.key -out /var/lib/rancher/k3s/server/tls/root-ca.pem;
$ curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | sudo bash -;
$ COMMIT=485eaf31b4fe6f8502a210eba6103c7d774c923d
$ sudo INSTALL_K3S_COMMIT=$COMMIT INSTALL_K3S_EXEC=server ./install-k3s.sh

Results before patch on latest release showing 90 days expiration despite it being 365

$ kg events --field-selector involvedObject.kind==Node

LAST SEEN   TYPE      REASON                           OBJECT                 MESSAGE
9m19s       Warning   CACertificateExpirationWarning   node/ip-ip   Certificate authority certificates require attention - check k3s documentation and begin planning rotation: certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:04Z, certificate-authority/client-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:04Z, certificate-authority/request-header-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:04Z, certificate-authority/peer-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:04Z, certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 90 days at 2025-05-30T18:59:04Z

Showing correct timeline for certificate expiry
$ kg events --field-selector involvedObject.kind==Node

LAST SEEN   TYPE      REASON                           OBJECT                MESSAGE
90s         Warning   CACertificateExpirationWarning   node/ip-172-31-25-9   Certificate authority certificates require attention - check k3s documentation and begin planning rotation: certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:46Z, certificate-authority/client-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:46Z, certificate-authority/request-header-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:46Z, certificate-authority/peer-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:46Z, certificate-authority/server-ca.crt: certificate CN=k3s-root-ca@test will expire within 365 days at 2025-05-30T22:26:46Z

brandond self-assigned this Jun 3, 2024

rancher-max assigned VestigeJ Jun 4, 2024

brandond mentioned this issue Jun 4, 2024

[release-1.29] More backports for 2024-06 release cycle #10288

Merged

VestigeJ closed this as completed Jun 4, 2024

caroline-suse-rancher added this to the v1.29.6+k3s1 milestone Jun 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Release-1.29] - Incorrect warning message for expiring K3s CA certificates #10273

[Release-1.29] - Incorrect warning message for expiring K3s CA certificates #10273

brandond commented Jun 3, 2024

VestigeJ commented Jun 4, 2024

[Release-1.29] - Incorrect warning message for expiring K3s CA certificates #10273

[Release-1.29] - Incorrect warning message for expiring K3s CA certificates #10273

Comments

brandond commented Jun 3, 2024

VestigeJ commented Jun 4, 2024