How to Fix Expired Kubernetes Certificates and Restore Your Cluster

1. Check Certificate Status

Run the following command on a control‑plane node to list the expiration dates of all component certificates: kubeadm certs check-expiration The output shows each certificate, its expiration date, and remaining time. Identify any certificates that are already expired or nearing expiration.

2. Renew Certificates

To renew all certificates at once, execute: kubeadm certs renew all If you only need to renew a specific certificate, use the syntax below, replacing <certificate-name> with the desired component (e.g., apiserver, etcd-server). kubeadm certs renew <certificate-name> Common certificate names include:

apiserver

apiserver-etcd-client

apiserver-kubelet-client

etcd-server

etcd-peer

etcd-healthcheck-client

3. Verify Renewal

After renewal, run the check command again to confirm the new expiration dates: kubeadm certs check-expiration All certificates should now display a future expiration date.

4. Restart Control‑Plane Components

Because most components do not support hot‑reloading of certificates, you must restart the corresponding Pods by moving and restoring their manifest files.

Move manifest files from /etc/kubernetes/manifests/ to a temporary directory so that kubelet stops the Pods: mv /etc/kubernetes/manifests/*.yaml /tmp/ Wait for Pods to terminate (e.g., 60 seconds) and verify with:

sleep 60
crictl ps

Move the manifests back to let kubelet recreate the Pods with the new certificates: mv /tmp/*.yaml /etc/kubernetes/manifests/ Check that the Pods are running and using the renewed certificates:

sleep 60
crictl ps

Restart the kubelet service to ensure all components pick up the new certificates:

sudo systemctl restart kubelet

5. HA Cluster Considerations

If your cluster uses a multi‑master (HA) architecture, repeat the renewal and restart steps on each control‑plane node in the same order to keep the entire cluster consistent.

6. Summary

Expired certificates are a common operational issue in Kubernetes, but by checking expiration, renewing the necessary certificates with kubeadm, verifying the updates, and restarting control‑plane components (including all HA masters), you can quickly restore cluster functionality and avoid prolonged downtime. Regularly schedule certificate checks to prevent future incidents.