Istio sidecar injector root cert NBF

I just set up a new Istio deployment. I’m seeing failures related to sidecar injection and the associated root certificate. Digging a little deeper, it looks like the root cert that was created during deployment has a not before date in the future (+1 day). I’m looking at both the secret named “istio.istio-sidecar-injector-service-account” and the config of the mutatingwebhook istio-sidecar-injector (the certs are the same). I double checked the system dates of all nodes in my cluster and they’re all correct. What can I do to fix this?



Here is the actual error I see:

Warning FailedCreate 3s (x11 over 8s) replicaset-controller Error creating: Internal error occurred: failed calling webhook “”: Post https://istio-sidecar-injector.istio-system.svc:443/inject?timeout=30s: x509: certificate has expired or is not yet valid

Nevermind, dates were not actually in sync across all nodes in the cluster. My bad.