kubernetes centos certificate cluster-computing kubeadm

Kubernetes certs renew all get error: must specify at least one ExtKeyUsage

I am using my kubernetes and get an error

must specify at least one ExtKeyUsage

when using the command

kubeadm certs renew all

like this:

{Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
I1227 11:55:26.654811   77170 kubelet.go:74] attempting to download the KubeletConfiguration from ConfigMap "kubelet-config"
W1227 11:55:26.666806   77170 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]

I1227 11:55:26.669988   77170 certs.go:344] Overriding the cluster certificate directory with the value from command line flag --cert-dir: /etc/kubernetes/pki
I1227 11:55:26.670118   77170 certs.go:522] validating certificate period for CA certificate
I1227 11:55:26.670639   77170 certs.go:522] validating certificate period for ca certificate
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
must specify at least one ExtKeyUsage
k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil.NewCertAndKey
        cmd/kubeadm/app/util/pkiutil/pki_helpers.go:103
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal.(*FileRenewer).Renew
        cmd/kubeadm/app/phases/certs/renewal/filerenewer.go:42
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal.(*Manager).RenewUsingLocalCA
        cmd/kubeadm/app/phases/certs/renewal/manager.go:241
k8s.io/kubernetes/cmd/kubeadm/app/cmd.renewCert
        cmd/kubeadm/app/cmd/certs.go:319
k8s.io/kubernetes/cmd/kubeadm/app/cmd.getRenewSubCommands.func3
        cmd/kubeadm/app/cmd/certs.go:284
github.com/spf13/cobra.(*Command).execute
        vendor/github.com/spf13/cobra/command.go:856
github.com/spf13/cobra.(*Command).ExecuteC
        vendor/github.com/spf13/cobra/command.go:974
github.com/spf13/cobra.(*Command).Execute
        vendor/github.com/spf13/cobra/command.go:902
k8s.io/kubernetes/cmd/kubeadm/app.Run
        cmd/kubeadm/app/kubeadm.go:50
main.main
        cmd/kubeadm/kubeadm.go:25
runtime.main
        /usr/local/go/src/runtime/proc.go:250
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1594
failed to renew certificate apiserver
k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/renewal.(*Manager).RenewUsingLocalCA
        cmd/kubeadm/app/phases/certs/renewal/manager.go:243
k8s.io/kubernetes/cmd/kubeadm/app/cmd.renewCert
        cmd/kubeadm/app/cmd/certs.go:319
k8s.io/kubernetes/cmd/kubeadm/app/cmd.getRenewSubCommands.func3
        cmd/kubeadm/app/cmd/certs.go:284
github.com/spf13/cobra.(*Command).execute
        vendor/github.com/spf13/cobra/command.go:856
github.com/spf13/cobra.(*Command).ExecuteC
        vendor/github.com/spf13/cobra/command.go:974
github.com/spf13/cobra.(*Command).Execute
        vendor/github.com/spf13/cobra/command.go:902
k8s.io/kubernetes/cmd/kubeadm/app.Run
        cmd/kubeadm/app/kubeadm.go:50
main.main
        cmd/kubeadm/kubeadm.go:25
runtime.main
        /usr/local/go/src/runtime/proc.go:250
runtime.goexit
        /usr/local/go/src/runtime/asm_amd64.s:1594
}

Currently I am using kubectl version

Client Version: v1.32.0
Kustomize Version: v5.5.0
Server Version: v1.25.6
OS: centos 7

Solution

Errors faced on failed to renew certificates for component "kube-apiserver", which is present in ExtKeyUsage.

Check PKI Certificates ExtKeyUsage refers to the X509v3 Extended Key Usage field, which is located on the master hosts at /etc/kubernetes/pki. must specify at least one ExtKeyUsage

Make sure the certificates have the necessary ExtKeyUsage fields are present by using below command:

root@kube-master:\~\# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout

If the ExtKeyUsage fields are missing, you'll need to update the certificate configuration. You can generate a new certificate with the required key usages using openssl. From the kubernetes document

openssl req -new -key /etc/kubernetes/pki/apiserver.key -out /etc/kubernetes/pki/apiserver.csr -subj "/CN=kubernetes"

openssl x509 -req -in /etc/kubernetes/pki/apiserver.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out /etc/kubernetes/pki/apiserver.crt -days 365 -extfile <(printf "extendedKeyUsage=serverAuth") -extensions extendedKeyUsage

After updating the certificate configuration, restart the Kubernetes components to apply the changes by using the command sudo systemctl restart kubelet.

Again run kubeadm certs renew all commands to verify that the certificates are renewed successfully.

Note: After renewal of certs is mandatory a reboot of the master server of k8s, where config is installed, Try rebooting master and after restarting the Kubelet everything works fine.