Kubernetes (Azure's AKS) suddenly gives error "kubectl x509 certificate has expired or is not yet valid"

Question

Suddenly an entire Kubernetes cluster (Azure's AKS-solution) became unresponsive. When running kubectl commands, the result is kubectl x509 certificate has expired or is not yet valid. Nothing in Azure Portal indicates an unhealthy state.

Answer 1

AKS clusters created prior to May 2019 have certificates that expire after two years. Any cluster created after May 2019 or any cluster that has its certificates rotated have Cluster CA certificates that expire after 30 years. All other AKS certificates, which use the Cluster CA for signing, will expire after two years and are automatically rotated during an AKS version upgrade which happened after 8/1/2021. To verify when your cluster was created, use kubectl get nodes to see the Age of your node pools.

Here is the commands you can resolve the issue by rotate certificates and az account set --subscription az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME az aks rotate-certs -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME

Note: get-credentials is mandatory to rotate certificates.

Answer 2

The quick solution:

az aks rotate-certs -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME

When certificates have been rotated, you can use kubectl again.

Be ready to wait 30 minutes before the cluster fully recovers.

Full explanation can be found in this article:

https://learn.microsoft.com/en-us/azure/aks/certificate-rotation