Azure-docs: Could you please add how to check the expiration date

Created on 11 Dec 2019 · 12Comments · Source: MicrosoftDocs/azure-docs

I checked my cluster which I deployed recently (2019-12-08).
But that cert is still short.

It'd be greatly helpful if you could implement 1) how to check the expiration date and 2) how we can deploy a cluster which has longer cert.

$ openssl s_client -connect labaks2-dns-451acc94.hcp.japaneast.azmk8s.io:443 &lt; /dev/null 2&gt; /dev/null | openssl x509 -noout -startdate -enddate                             
notBefore=Dec  8 13:44:37 2019 GMT
notAfter=Dec  7 13:54:37 2021 GMT

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 9b78509d-73eb-6c32-aee1-9b34685a64ff
Version Independent ID: 6f87cf70-1f5a-0f9e-862d-ae1436595f3b
Content: Rotate certificates in Azure Kubernetes Service (AKS)
Content Source: articles/aks/certificate-rotation.md
Service: container-service
GitHub Login: @zr-msft
Microsoft Alias: zarhoads

Pri1 assigned-to-author container-servicsvc product-question triaged

Source

yuriwoof

👍1

Most helpful comment

Is it May 2018 or March 2019? Asking because I received an email saying March but I read May here.
Also, could you suggest a way to retrieve the creation date of an AKS cluster?

there is a way to get the accurate cert expiration time:

get the certificate-authority-data value under your kubeconfig(e.g. ~/.kube/config)
base64 decode that value(e.g. echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR..." | base64 -d > /tmp/cert.crt)
openssl x509 -in /tmp/cert.crt -text
and then you will get the accurate cert expiration time:

# openssl x509 -in /tmp/cert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            58:9b:19:19:0c:46:76:df:03:06:aa:0c:69:d6:91:65
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ca
        Validity
            Not Before: Oct 29 12:58:09 2019 GMT
            Not After : Oct 21 13:08:09 2049 GMT
        Subject: CN=ca

andyzhangx on 13 Dec 2019

👍3

All 12 comments

@yuriwoof Thanks for Feedback. We are looking into this and will get back on this thread.

VikasPullagura-MSFT on 11 Dec 2019

👍1

@MicrosoftDocs/aks-pm Please look into this and add your comments.
I checked with the CLI, but there is no option to pass the cert validity with az aks create -h while creating the cluster.
Can you add some information on this.

VikasPullagura-MSFT on 12 Dec 2019

There is no way to figure out the certificate expiry using the CLI. if you created the cluster before may 2018 it would expire in 2 years.. If you created after , it is 30 years

sauryadas on 12 Dec 2019

Is it May 2018 or March 2019? Asking because I received an email saying March but I read May here.
Also, could you suggest a way to retrieve the creation date of an AKS cluster?

rigerosa on 13 Dec 2019

@andyzhangx Will kubectl get nodes returning the no of days a cluster has been up for be okay?

sauryadas on 13 Dec 2019

Is it May 2018 or March 2019? Asking because I received an email saying March but I read May here.
Also, could you suggest a way to retrieve the creation date of an AKS cluster?

there is a way to get the accurate cert expiration time:

get the certificate-authority-data value under your kubeconfig(e.g. ~/.kube/config)
base64 decode that value(e.g. echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FUR..." | base64 -d > /tmp/cert.crt)
openssl x509 -in /tmp/cert.crt -text
and then you will get the accurate cert expiration time:

# openssl x509 -in /tmp/cert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            58:9b:19:19:0c:46:76:df:03:06:aa:0c:69:d6:91:65
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=ca
        Validity
            Not Before: Oct 29 12:58:09 2019 GMT
            Not After : Oct 21 13:08:09 2049 GMT
        Subject: CN=ca

andyzhangx on 13 Dec 2019

👍3

@VikasPullagura-MSFT Can you add the above samples on how to check for expiry date? Also please update the May 2018 to March 2019

sauryadas on 13 Dec 2019

@VikasPullagura-MSFT can i please get an ack ?

sauryadas on 13 Dec 2019

FYI, from a quick test on our clusters the two methods didn't give us the same results:
from the certificate test mentioned by @andyzhangx we got that on all our clusters except for one certificates expire after 2 years, while kubectl get nodes returned that all nodes in all clusters have an age lower than 4 months.
Maybe kubectl get nodes returns the time since when the cluster was last upgraded?

rigerosa on 14 Dec 2019

Correct. kubectl get nodes returns the time since when the cluster was last upgraded

sauryadas on 14 Dec 2019

@sauryadas Thanks. Ack. I will assign it to the author to update the doc with the samples on how to check the expiry date.
@zr-msft Can you please help with updating the doc with the information provided in this comment: https://github.com/MicrosoftDocs/azure-docs/issues/44448#issuecomment-565274700
Thanks :)

Karishma-Tiwari-MSFT on 16 Dec 2019

Thank you for the feedback @yuriwoof
I have updated the article to include information to check the expiration date of your certificates. It should be live soon.