X509 Certificate preventing Helm deploys

@Oliver I see that you’re the Cert master from previous posts.
My cluster started throwing this today:

Internal error occurred: failed calling admission webhook "pilot.validation.istio.io": Post https://istio-galley.istio-system.svc:443/admitpilot?timeout=30s: x509: certificate has expired or is not yet valid 

Helm is no longer deploying and we’re in a bind. I don’t think the root certificate has expired since it has only been 99 days not 1 yr like previous posts. I’m using Istio 1.0.5. Is there a way to rectify this without downtime?

Hi Mike,
Can you provide pilot and galley’s cert? The default cert of galley/pilot is 90 days, but we should provide auto cert rotation.

You can do this by running:

$ kubectl get secret -o json istio.istio-galley-service-account -n istio-system | jq -r ‘.data[“cert-chain.pem”]’ | base64 --decode | openssl x509 -noout -text | grep “Not Before” -C 1

$ kubectl get secret -o json istio.istio-pilot-service-account -n istio-system | jq -r ‘.data[“cert-chain.pem”]’ | base64 --decode | openssl x509 -noout -text | grep “Not Before” -C 1

And btw, 1.0.5 is out of LTS tomorrow, strongly recommend to upgrade to 1.1 or upcoming 1.2.

Thanks @Tao_Li. Since this was one of my production clusters I took it out of prod, deleted Istio and all configmaps then reinstalled it. That seemed to work for us. I have plans to upgrade to 1.1 soon.

Great, sounds good to me.