1 目前证书是信任三个master ip地址在加一个
[root@k8s-master seversslbak]# cfssl-certinfo -cert server.pem { "subject": { "common_name": "kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "BeiJing", "province": "BeiJing", "names": [ "CN", "BeiJing", "BeiJing", "k8s", "System", "kubernetes" ] }, "issuer": { "common_name": "kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "Beijing", "province": "Beijing", "names": [ "CN", "Beijing", "Beijing", "k8s", "System", "kubernetes" ] }, "serial_number": "591829917047207358591893406474948745207699905189", "sans": [ "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "127.0.0.1", "192.168.56.10", "192.168.56.11", "192.168.56.12", "10.10.10.1" ], "not_before": "2018-10-02T02:52:00Z", "not_after": "2028-09-29T02:52:00Z", "sigalg": "SHA256WithRSA", "authority_key_id": "93:D5:D3:91:42:2C:22:45:E:EE:12:82:F8:78:9C:BA:D0:5:DE:43", "subject_key_id": "9E:76:4C:F7:24:11:E5:86:24:1:C2:DC:2D:F5:AA:3B:F0:B3:21:A5", "pem": "-----BEGIN CERTIFICATE-----\nMIIEhTCCA22gAwIBAgIUZ6qSQldvDDFbFZ0mWhR30hU2mqUwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE4MTAwMjAyNTIwMFoXDTI4MDkyOTAyNTIwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk0D+RlWUot1909wHhxs\n8gHESHGwjW85OyfN6qMwBeZbrLy9OJGWWADvxhLd5JXga+3ZMmyp979+RzDvTaoE\nFpOAaKzQBipWJguU2kP9PO/AGKePD7+sAHK8D09A6z9T7rFqr/ymALkDgtLG9xiG\nzLhJrdmZNjvGPB3RLFHtXt6RXR6vnXJ9JpQ90b1hmXsp8tRv0YNfaGA3KhOSNB6e\nXC0oTXNS/h4G1l0ee9x0BVYlwDCwL/7lSVF0E1lAcXzU8zqy4qY2815CHcHaTtxw\nMne6jSwh6DMfIdVuZSiLumgeLIRJZntRFwd8GqMmDGjCwomH+XutasJ8OGaApDh6\nxQIDAQABo4IBKzCCAScwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSedkz3JBHlhiQB\nwtwt9ao78LMhpTAfBgNVHSMEGDAWgBST1dORQiwiRQ7uEoL4eJy60AXeQzCBpwYD\nVR0RBIGfMIGcggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVy\nbmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rl\ncoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTA\nqDgKhwTAqDgLhwTAqDgMhwQKCgoBMA0GCSqGSIb3DQEBCwUAA4IBAQCTT5vj/DYR\niPwJ3eXd48fK6GDtwtRlfs1XlDxjVRx77OOiw3L7f3D3+fExC5Zq9TffJ7r32NRp\n+FICkkmguYCmvZ5sohiiunDdVfeKDWxYT4LlqF1YX1Ta0D6bVyRdvr9lImaty+hS\nkyH3BFVocVSn2vdtGUSy2X8LRrEXNvdcRrrLihVWlZONCrAUV2pnyU8LWHhDEZak\n5H3aIlz7Eqr4/lcXytXjk1DiTGAi67fwLy4yiRvrPnpsYlp/Ee9gudlkysO7ArIi\nNBKK42nYU1pGXqIeOarrCH1WWDGMy2JHp/okSEVlktoy2gwGi7GembAf68x5viUM\ngoV9PpKjMgvD\n-----END CERTIFICATE-----\n" }
2.
{ "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.56.10", "192.168.56.11", "192.168.56.12", "192.168.56.13", "10.10.10.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] }
3.基于原来的ca证书重新生成server.perm server-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
cp server.pem server-key.pem /opt/kubernetes/ssl/
systemctl restart kube-apiserver
[root@k8s-master ssl]# cfssl-certinfo -cert server.pem { "subject": { "common_name": "kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "BeiJing", "province": "BeiJing", "names": [ "CN", "BeiJing", "BeiJing", "k8s", "System", "kubernetes" ] }, "issuer": { "common_name": "kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "Beijing", "province": "Beijing", "names": [ "CN", "Beijing", "Beijing", "k8s", "System", "kubernetes" ] }, "serial_number": "508184769729075093485943956732747441633339345736", "sans": [ "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "127.0.0.1", "192.168.56.10", "192.168.56.11", "192.168.56.12", "192.168.56.13", "10.10.10.1" ], "not_before": "2018-10-27T03:11:00Z", "not_after": "2028-10-24T03:11:00Z", "sigalg": "SHA256WithRSA", "authority_key_id": "93:D5:D3:91:42:2C:22:45:E:EE:12:82:F8:78:9C:BA:D0:5:DE:43", "subject_key_id": "7B:6E:13:B3:7A:31:84:E5:A4:9:87:64:8C:7D:EE:1:71:C2:EE:66", "pem": "-----BEGIN CERTIFICATE-----\nMIIEizCCA3OgAwIBAgIUWQPLDvnjyQgDePhdAwjioWv3i0gwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl\naWppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE4MTAyNzAzMTEwMFoXDTI4MTAyNDAzMTEwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzCpmf7s4P25vls5mPynl\nnxbdA3c8SrW54ZVPePk2LOJIFZl5CfqNoB5O4bNSgEVo8uTTLDDMab+H9XhqD2DO\ndpNrzfQ3oJbx5olodR8rph3BDP6RKSB8Mj9T6pbgcNXYWMvLrTbJahXfWzrxG/IN\nRaqgoUmuBomGN7xLbJpmEREmMzB4Q3/Cr0YZqkOgUiwgzuOwdfObzQ/JzWuZoQNw\n374QhaIqpVaH/ZIGHgL3XKblzuv3zhtLV9Vmi0/ST6+1m+yVS6fkvdiOHG2bXYFM\ng7seGd8ZU6dUV6sxMciAChsbWWPCHcYiqGO1C6Qa6ACJhlukDFhMzPvleI9ithuT\nLQIDAQABo4IBMTCCAS0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR7bhOzejGE5aQJ\nh2SMfe4BccLuZjAfBgNVHSMEGDAWgBST1dORQiwiRQ7uEoL4eJy60AXeQzCBrQYD\nVR0RBIGlMIGiggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVy\nbmV0ZXMuZGVmYXVsdC5zdmOCHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rl\ncoIka3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTA\nqDgKhwTAqDgLhwTAqDgMhwTAqDgNhwQKCgoBMA0GCSqGSIb3DQEBCwUAA4IBAQA/\n3cMaOSScJL7g8O0iHhS0TFJ6qy1/RKYcq0Sr0cLAwP4z4OzMwdO7NF0U51VyjOLU\n81b3WCh1PHl7TV47ja2lP5fIe5+WCfnSRUMo66yRjItVFOqxQUzdD3v3YxaBuKou\npNbPlk8rUMs6a+6kUiN82QZjlAJZXWIdnxm+IkFHKLS/GCk9TemqhlMogejmYgUI\njBuZL3ZnkWX2QFMW13xEEs0pR+oxPsGaXu16UsRjhewVgZNNo5lHjn8Llgs2Nubk\nKzlVDm6NfZcac+UxOrfOaaHwXb6wSXYN/wIwrcCyjuy8Hq7aDV0glCf/WmMcJiGT\nStVwi1DLBdWkQNCcmkFN\n-----END CERTIFICATE-----\n" } [root@k8s-master ssl]#