Certificate has expired

Kubernetes SecurityTLS ErrorHigh PriorityLast updated: June 29, 2026Tested on:Kubectl v1.30Minikube v1.32Helm v3.14June 2026

This error occurs when the cluster client certificates or control plane component certificates exceed their expiration timestamps.

Certificate has expired Quick Fix⏱️ Est. Fix Time: 5 minutes

Usually happens because:

  • Control plane certs exceed their default 1-year lifetime limits
  • Kubelet client cert rotation is blocked by missing RBAC credentials
  • Worker host clock drift flags active certificates as expired

🔍 Quick Checklist:

What is Certificate has expired?

A 'Certificate has expired' (or x509: certificate has expired) error is raised when TLS verification fails because the current system time is past the 'NotAfter' validity timestamp of the certificate. In Kubernetes v1.36 clusters, certificates are used extensively for control plane communications (kubelet-to-apiserver, apiserver-to-etcd, etc.) and client authentication. Standard installer tools (like kubeadm) configure control plane certificates with a 1-year expiration period, requiring periodic renewal.

Common Causes

  • Expired control plane certificates: Cluster certificates (apiserver.crt, etcd-peer.crt) have not been renewed and exceed their 1-year lease limit.
  • Outdated Kubelet client certificate auto-renew: The Kubelet fails to auto-rotate its client certificates ('client-kubelet.pem') because bootstrapping permissions are blocked.
  • Clock drift on nodes: The virtual machine host system clock drifts significantly, falsely flagging active certificates as expired or not yet valid.
CauseFrequency
Control plane certificates exceed their 1-year lifetime (standard kubeadm setup)⭐⭐⭐⭐⭐
Clock drift on host nodes causing premature certificate invalidation⭐⭐⭐⭐
Kubelet client certificate auto-rotation fails (RBAC blocks)⭐⭐⭐

Common Mistakes

  • Renewing certificates using Kubeadm but forgetting to restart control plane static pods (kube-apiserver, kube-controller-manager, etcd), leaving the memory processes using the expired certificates.
  • Updating control plane certificates without replacing the user's `~/.kube/config` file, locking clients out with Unauthorized or expired warnings.

How to Fix

1Renew control plane certificates using Kubeadm: Run 'kubeadm certs renew all' on control plane nodes to reset all leases.
2Verify current certificates validity dates: Use 'kubeadm certs check-expiration' to print remaining validity days.
3Configure Kubelet cert rotation: Ensure 'rotate-server-certificates: true' is enabled inside the Kubelet configuration profile.

Kubernetes Operations & Verification

Verify and renew all control plane certificates using Kubeadm utility tools in Kubernetes v1.36.

Kubeadm Check & Renew Example
# 1. Check expiration of all cluster certs
$ sudo kubeadm certs check-expiration

# 2. Renew all certificates dynamically
$ sudo kubeadm certs renew all

# 3. Copy updated admin config to user config directory
$ sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config

Platform Specific Fixes

Examine the validity window of raw certificate files using OpenSSL commands.

Linux Config
# 1. Inspect api server certificate expiry date
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -enddate

# 2. Restart control plane container runtime components to load new certificates
sudo systemctl restart containerd

Best Practices

  • Configure automated cron tasks or configure control plane cert automation scripts to run renews yearly.
  • Integrate monitoring checks to alert operations teams when certificate validity drops below 30 days.

Frequently Asked Questions (FAQ)

Q: What causes a 'Certificate has expired' error in Kubernetes?

Kubernetes control plane certificates (created by tools like kubeadm) expire after 1 year by default. If they are not renewed, components like the API server or etcd will refuse to communicate with each other, halting the cluster.

Q: How do I check when my certificates expire?

If your cluster was built with kubeadm, run 'kubeadm certs check-expiration' on the control plane node. For raw files, use OpenSSL: 'openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Validity -A 2'.

Q: How do I renew expired kubeadm certificates?

Log into the control plane node and run: 'sudo kubeadm certs renew all'. After renewing, you must restart the control plane pods (kube-apiserver, kube-controller-manager, kube-scheduler, etcd) to load the new certificates.

Q: Why do nodes fail to auto-rotate client certificates?

Ensure that Kubelet certificate rotation is enabled in your Kubelet config ('rotate-certificates: true') and that the cluster has an active signer (like kube-controller-manager) capable of auto-approving Kubelet CSRs (Certificate Signing Requests).

Still having this problem?

Didn't solve your problem?

SuggestRequest Error