k3s apiserver Unable to connect to the server: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 30.232.90.253, ::1, not [remote-ip]

We have install an k3s server on an internal machine(ip: 30.232.90.253), and we use ssh remote tunnel to expose the internal k3s server to our public machine(remote-ip). However when we try to connect the k3s server, it report an error:

Unable to connect to the server: x509: certificate is valid for 10.43.0.1, 127.0.0.1, 30.232.90.253, ::1, not [remote-ip]

Why

The error shows that the certificate is not valid for the tunnel ip, k3s server generate certificate for the internal node ip by default. We shoule using --tls-san options to notify k3s the external ip.

You can read the more detail about k3s options Configuration Options | K3s.

How

We know we should add --tls-san options to k3s server, but we have already installed k3s, we don’t want to reinstall it.

First, add tls-san option to /etc/rancher/k3s/config.yaml

tls-san: 
  - remote-ip

Then, delete the old secret and dynamic-cert.json.

kubectl -n kube-system delete secrets/k3s-serving
mv /var/lib/rancher/k3s/server/tls/dynamic-cert.json /tmp/dynamic-cert.json

Last, restart the k3s service.

systemctl restart k3s

Now, you can connect the k3s api server through the remote-ip, the certificate will be valid for it.

Conclusion

k3s provide lots of options to users, it’s very useful and powerful. Thanks for the great open source lightweight kubernetes.

Releated issue