---
slug: "update-certificates-in-microk8s-kubernbetes"
title: "How to Renew SSL Certificates When They Expire in Microk8s"
description: "This article covers how to handle error messages related to server certificate expiration when attempting to operate Microk8s (Kubernetes)."
url: "https://www.ytyng.com/en/blog/update-certificates-in-microk8s-kubernbetes"
publish_date: "2023-08-21T01:08:59Z"
created: "2023-08-21T01:08:59Z"
updated: "2026-02-27T07:48:13.814Z"
categories: []
keywords: ""
featured_image_url: "https://media.ytyng.com/resize/20250615/7454ae37659f4f0eb4a7d356f791b999.png.webp?width=768"
has_video: true
has_music: true
video_urls: ["https://media.ytyng.net/ytyng-blog/291/featured-video-1.mp4", "https://media.ytyng.net/ytyng-blog/291/featured-video-2.mp4", "https://media.ytyng.net/ytyng-blog/291/featured-video-3.mp4"]
music_urls: ["https://media.ytyng.net/ytyng-blog/291/featured-music-291-3.mp3", "https://media.ytyng.net/ytyng-blog/291/featured-music-291-4.mp3"]
lang: "en"
---

# How to Renew SSL Certificates When They Expire in Microk8s

Here is the translation of the provided Japanese blog article into English:

---

When trying to operate Micro k8s (Kubernetes), you might encounter the following error:

```
Unable to connect to the server: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2023-08-21T09:52:50+09:00 is after 2023-08-19T07:31:15Z
```

Here’s how to address this issue.

First, on the Kubernetes node, run `sudo microk8s.refresh-certs -c`:

```
$ sudo microk8s.refresh-certs -c
The CA certificate will expire in 3273 days.
The server certificate will expire in -2 days.
The front proxy client certificate will expire in -2 days.
```

You can identify the expired certificates, and then update each certificate using `sudo microk8s.refresh-certs`.

```
$ sudo microk8s.refresh-certs --cert=front-proxy-client.crt
Taking a backup of the current certificates under /var/snap/microk8s/5625/certs-backup/
Creating new certificates
Signature ok
subject=CN = front-proxy-client
Getting CA Private Key
Restarting service kubelite.
```

```
$ sudo microk8s.refresh-certs --cert=server.crt
Taking a backup of the current certificates under /var/snap/microk8s/5625/certs-backup/
Creating new certificates
Signature ok
subject=C = GB, ST = Canonical, L = Canonical, O = Canonical, OU = Canonical, CN = 127.0.0.1
Getting CA Private Key
Restarting service kubelite.
Restarting service cluster-agent.
```

Verify the results:

```
$ sudo microk8s.refresh-certs -c
The CA certificate will expire in 3273 days.
The server certificate will expire in 364 days.
The front proxy client certificate will expire in 364 days.
```

Since the validity is 364 days, it seems you’ll need to perform this procedure once a year.