cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon dapr

dapr mtls renew-certificate -k --valid-until <days> --restart did not restart statefulsets/dapr-scheduler-server

Open ithings-yill opened this issue 3 weeks ago • 0 comments

  1. dapr -v CLI version: 1.16.5 Runtime version: n/a

  2. dapr mtls renew-certificate -k --valid-until --restart⌛ Starting certificate rotation ℹ️ generating fresh certificates ℹ️ Updating certifcates in your Kubernetes cluster ℹ️ Dapr control plane version 1.16.3 detected in namespace dapr-system ✅ Certificate rotation is successful! Your new certicate is valid through Sat, 27 Nov 2026 03:27:23 UTC ℹ️ Restarting statefulsets/dapr-placement-server.. ℹ️ Restarting deploy/dapr-sidecar-injector.. ℹ️ Restarting deploy/dapr-operator.. ℹ️ Restarting deploy/dapr-sentry.. ✅ All control plane services have restarted successfully!

  3. kubectl rollout restart deploy/myapp The sidecar cannot be started, error: Failed to connect to scheduler host: failed to watch scheduler hosts: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509svid: could not verify leaf certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cluster.local")" scope=dapr.runtime.scheduler.watchhosts type=log ver=1.16.3

  4. After manually restarting statefulsets/dapr-scheduler-server, the sidecar started normally.

ithings-yill avatar Dec 04 '25 04:12 ithings-yill