# 更換 RKE2 和 K3s 叢集系統憑證的有效期限
## RKE2
### Step1: ssh 連線至 server(Control-plane/etcd) node
```
ssh <user>@<control-plane node ip>
```
並切換成 root 使用者
```
su - root
```
### Step2: 停止 rke2-server service
```
systemctl stop rke2-server.service
```
### Step3: 設定 certificate validity period 的環境變數
以下變數將設定 RKE2 叢集內部的所有系統核心服務(kube-apiserver, etcd, kube-scheduler, kube-controller-manager, kubelet, kube-proxy...等) 的憑證有限期限為 10 年
```
cat << EOF > /etc/default/rke2-server
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOF
```
:::danger
請注意:上述變數的值必須是字串,表示與到期天數相對應的無符號整數(即 X509 "NotAfter" 的值)。
:::
### Step4: 手動更新叢集中的 TLS 憑證
```
rke2 certificate rotate
```
The following certificates can be rotated:
`admin`, `api-server`, `controller-manager`, `scheduler`, `rke2-controller`, `rke2-server`, `cloud-controller`, `etcd`, `auth-proxy`, `kubelet`, `kube-proxy`
### Step5: 起動 rke2-server service
```
systemctl start rke2-server.service
```
### Step6: 檢查 rke2-server 上系統的所有憑證有限期限
```
rke2 certificate check
```
執行結果 :
```
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:admin-rancher,O=system:nodes is ok, expires at 2035-05-24T09:44:17Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=admin-rancher is ok, expires at 2035-05-24T09:44:17Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
```
### Step7: 再去下一台 Control-plane/etcd node 執行 Step 1 ~ 5 的操作步驟
---
## K3s
### Step1: ssh 連線至 K3s node
```
ssh <user>@<node ip>
```
並切換成 root 使用者
```
su - root
```
### Step2: 停止 k3s service
```
systemctl stop k3s.service
```
### Step3: 設定 certificate validity period 的環境變數
以下變數將設定 K3s 叢集內部的所有系統核心服務(kube-apiserver, etcd, kube-scheduler, kube-controller-manager, kubelet, kube-proxy...等) 的憑證有限期限為 10 年
```
cat << EOF > /etc/default/k3s
CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS=3650
EOF
```
:::danger
請注意:上述變數的值必須是字串,表示與到期天數相對應的無符號整數(即 X509 "NotAfter" 的值)。
:::
### Step4: 手動更新叢集中的 TLS 憑證
```
k3s certificate rotate
```
The following certificates can be rotated: `admin`, `api-server`, `controller-manager`, `scheduler`, `k3s-controller`, `k3s-server`, `cloud-controller`, `etcd`, `auth-proxy`, `kubelet`, `kube-proxy`
### Step5: 起動 k3s service
```
systemctl start k3s.service
```
### Step6: 檢查 k3s 上系統的所有憑證有限期限
```
k3s certificate check
```
執行結果 :
```
INFO[0000] Server detected, checking agent and server certificates
INFO[0000] Checking certificates for etcd
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-client is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/client.crt: certificate CN=etcd-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/server-client.crt: certificate CN=etcd-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt: certificate CN=etcd-peer-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for kube-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-proxy.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=system:kube-proxy is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kube-proxy.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for kubelet
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=system:node:admin-rancher,O=system:nodes is ok, expires at 2035-05-24T09:44:17Z
INFO[0000] /var/lib/rancher/rke2/agent/client-kubelet.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=admin-rancher is ok, expires at 2035-05-24T09:44:17Z
INFO[0000] /var/lib/rancher/rke2/agent/serving-kubelet.crt: certificate CN=rke2-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for rke2-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=system:rke2-controller is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/agent/client-rke2-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for api-server
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=system:apiserver,O=system:masters is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-kube-apiserver.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=kube-apiserver is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/serving-kube-apiserver.crt: certificate CN=rke2-server-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for admin
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=system:admin,O=system:masters is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-admin.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for auth-proxy
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=system:auth-proxy is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-auth-proxy.crt: certificate CN=rke2-request-header-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for cloud-controller
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-cloud-controller-manager is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-rke2-cloud-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for controller-manager
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=system:kube-controller-manager is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-controller.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for scheduler
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=system:kube-scheduler is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-scheduler.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
INFO[0000] Checking certificates for supervisor
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=system:rke2-supervisor,O=system:masters is ok, expires at 2035-05-24T09:44:16Z
INFO[0000] /var/lib/rancher/rke2/server/tls/client-supervisor.crt: certificate CN=rke2-client-ca@1736240037 is ok, expires at 2035-01-05T08:53:57Z
```
### Step7: 再去下一台 node 執行 Step 1 ~ 5 的操作步驟
Sign in with Wallet
Connect another wallet