When using kubectl
to administer your Kubernetes cluster, you may receive a message similar to
The connection to the server xxx.xxx.xxx.xxx:xxxx was refused - did you specify the right host or port?
When kubectl
returns the connection to the server localhost:8080 was refused
, one reason may be that the client certficates for accessing your Kubernetes cluster have expired. How to renew expired client certificates is the topic of this article.
There are other cause for the "connection refused" message, so check a couple of things with your cluster before trying out the below steps to resolve your issue.
My Kubernetes cluster is outdated. It's currently running v1.15.2. As of this writing, the Kubernetes documentation only goes back to v1.20. After I resolve this certificate issue, I'll upgrade my cluster so I'm running the latest version of Kubernetes.
To definitely see if you have an expired certificate run the following command.
$ kubeadm certs check-expiration
If you receive an error message, try running the command for an older version of kubectl.
$ kubeadm alpha certs check-expiration
If it works, you'll see similar output.
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Aug 21, 2022 19:57 UTC <invalid> no
apiserver Aug 21, 2022 19:55 UTC <invalid> no
apiserver-etcd-client Aug 21, 2022 19:55 UTC <invalid> no
apiserver-kubelet-client Aug 21, 2022 19:55 UTC <invalid> no
controller-manager.conf Aug 21, 2022 19:57 UTC <invalid> no
etcd-healthcheck-client Aug 21, 2022 19:04 UTC <invalid> no
etcd-peer Aug 21, 2022 19:04 UTC <invalid> no
etcd-server Aug 21, 2022 19:04 UTC <invalid> no
front-proxy-client Aug 21, 2022 19:55 UTC <invalid> no
scheduler.conf Aug 21, 2022 19:57 UTC <invalid> no
Note that the expiration date has passed and the Residual Time says <invalid>
. This means my client certificates have expired.
Renew the certificates by running the following command. Note that this command is for v1.15.2 version of kubernetes.
$ kubeadm alpha certs renew all
Now, try a kubectl command.
$ kubectl get pods
If you receive the following error, you may have an old version of kubernetes.
Unable to connect to the server: x509: certificate has expired or is not yet valid
To reconcile, run the following command where xx.xx.xx.xx
is your cluster's IP address.
$ kubeadm init phase certs all --apiserver-advertise-address xx.xx.xx.xx
Then run the following.
$ kubeadm init phase kubeconfig all
Then reboot.
Then run the following.
$ cp -i /etc/kubernetes/admin.conf ~/.kube/config
After that you should be able to run kubectl commands.