Kube-api server stopped again

disha rajpal:
Hi, Please help me with this question. I tried to solve it but no go.

The kube-api server stopped again! Check it out. Inspect the kube-api server logs and identify the root cause and fix the issue.
Run docker ps -a command to identify the kube-api server container. Run docker logs container-id command to view the logs.

Ashok Kumar:
Hey Disha

Check for api-server exited container using

docker ps --filter "status=exited"

then look api-server container id and use

docker logs <container_id>

Read the all the log lines one by one somewhere you would encounter a message as “certificate is invalid” when connecting to etcd
This should give you a hint where you should be looking next:slightly_smiling_face:

disha rajpal:
Thanks

  1. docker ps -a
    check kube-apiserver container id
  2. docker logs container id
  3. check logs
  4. logs : “transport: authentication handshake failed: x509: certificate signed by unknown authority”.
    Reconnecting…
  5. certificate error → cat /etc/kubernetes/manifests/kube-apiserver.yaml
  6. –client-ca-file=/etc/kubernetes/pki/ca.crt
    –etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    openssl x509 -in crt or key path -text
    ex) openssl x509 -in /etc/kubernetes/pki/ca.crt -text
    check CN
  7. /etc/kubernetes/pki/ca.crt CN → kubernetes
    /etc/kubernetes/pki/apiserver-etcd-client.crt CN-> etcd-ca
  8. openssl x509 -in /etc/kubernetes/pki/etcd/ca.crt -text
    CN → etcd-ca
  9. rewrite → vi /etc/kubernetes/manifests/kube-apiserver.yaml
    –client-ca-file=/etc/kubernetes/pki/ca.crt → --client-ca-file=/etc/kubernetes/pki/etcd/ca.crt

I think CN is wrong etcd CA ca.crt
different from other etcd authentication CNs

I hope you understand