How to Resolve Kubernetes Certificate Expiration Errors with kubeadm

While using kubectl to view pod information, the cluster returned the error:

Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2025-01-25T11:35:45+08:00 is after 2024-11-22T23:44:48Z

Solution

Refer to the official kubeadm certificate management documentation and run the following commands.

Renew all certificates: kubeadm alpha certs renew all Copy the newly generated admin kubeconfig:

sudo kubeadm alpha kubeconfig user --client-name=admin --org=system:masters > /tmp/admin.conf
sudo cp /tmp/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Restart the kubelet service to apply the changes: systemctl restart kubelet Verify the new certificate expiration dates: kubeadm alpha certs check-expiration The output shows each certificate with a new expiration date (e.g., Jan 25, 2026).

Important Notes

The official documentation for older Kubernetes versions (e.g., v1.15) uses kubeadm certs check-expiration, which may not exist in newer releases. In Kubernetes v1.19, the certs sub‑command is located under kubeadm alpha, so use kubeadm alpha certs … instead.