与服务器 172.31.58.39:6443 的连接被拒绝 - 您是否指定了正确的主机或端口?

tag-icon tag-icon docker kubernetes kubeadm ubuntu-22.04 aws-ec2
与服务器 172.31.58.39:6443 的连接被拒绝 - 您是否指定了正确的主机或端口?

我在 aws ec2 上创建了 3 个节点。在这三个节点中,我有一个类型为 t2.medium 的主节点和 2 个类型为 t2.micro 的工作节点

我最近两天遇到了一个问题The connection to the server 172.31.58.39:6443 was refused - did you specify the right host or port?,但无法解决。我搜索了与此问题相关的所有内容,但没有一个解决方案有效。

EC2: t2.medium
OS: Ubuntu 22.04
kubeadm version: 
        &version.Info{Major:"1", 
                      Minor:"28", 
                      GitVersion:"v1.28.2", 
                 
                GitCommit:"89a4ea3e1e4ddd7f7572286090359983e0387b2f", 
              GitTreeState:"clean", BuildDate:"2023-09-13T09:34:32Z", 
                GoVersion:"go1.20.8", 
                  Compiler:"gc", 
                  Platform:"linux/amd64"}

kubectl version:
              Client Version: v1.28.2
              Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3

kubectl get nodes

E0923 17:25:20.923628    7300 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
E0923 17:25:20.928061    7300 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
E0923 17:25:20.932249    7300 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
E0923 17:25:20.936440    7300 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
E0923 17:25:20.940482    7300 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Kubernetes")
Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Kubernetes")

有些人会遇到此错误 kubectl get nodes

Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")

有时会出现此错误 kubectl get nodes

The connection to the server 172.31.58.39:6443 was refused - did you specify the right host or port?

kubectl cluster-info

E0924 07:51:01.606793   10760 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": dial tcp 172.31.58.39:6443: connect: connection refused
E0924 07:51:01.607243   10760 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": dial tcp 172.31.58.39:6443: connect: connection refused
E0924 07:51:01.608930   10760 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": dial tcp 172.31.58.39:6443: connect: connection refused
E0924 07:51:01.610408   10760 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": dial tcp 172.31.58.39:6443: connect: connection refused
E0924 07:51:01.611920   10760 memcache.go:265] couldn't get current server API group list: Get "https://172.31.58.39:6443/api?timeout=32s": dial tcp 172.31.58.39:6443: connect: connection refused

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
The connection to the server 172.31.58.39:6443 was refused - did you specify the right host or port?

.kube/config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0F----
    server: https://172.31.58.39:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJ----
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJ---

netstat -pnlt | grep 6443

Got nothing

some time get this response from above command
tcp6       1      0 :::6443                 :::*                    LISTEN      89485/kube-apiserve

firewall-cmd --list-all

You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker' (see --get-active-zones)
You most likely need to use --zone=docker option.

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

主节点安全组(入站)

–   sgr-084c44b571f12226d   8080        TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-01784eb1f091d49f9   6430        TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-071619a3b2faa66e6   22          TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-0ef554af49b020d01   6784        UDP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-0f54b7b5d068e3fc8   6783        TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-05e5c889e6d056897   2379 - 2380 TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-03adee8559fe297ca   6443        TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-0bd29c6cad853563b   443         TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-06a00288ac397903a   80          TCP 0.0.0.0/0   MasterSecurityGroups    –
–   sgr-05eed4b9a8e95625c   30000 - 32767   TCP 0.0.0.0/0   MasterSecurityGroups    –

我对我自己的 IP 和本地 IP 感到困惑EC2,让我告诉你我已经检查过了, curl -s ifconfig.me 然后我得到了

54.157.171.165  => This is my master node Public IPv4 address

但是.kube/config从我的本地 IP 进入服务器时,端口6443

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTi====
    server: https://172.31.58.39:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBD====
    client-key-data: LS0tLS1C====

答案1

解决此错误无法连接到服务器:tls:无法验证证书:x509:由未知颁发机构签名的证书(可能是因为在尝试验证候选颁发机构证书“kubernetes”时出现“crypto/rsa:验证错误”)

请尝试以下步骤:

1检查 $HOME/.kube/config 文件中是否存在有效证书并生成新证书。

2使用以下命令删除环境变量 KUBECONFIG:

unset KUBECONFIG

或者将其设置为默认的 KUBECONFIG 位置:

export KUBECONFIG=/etc/kubernetes/admin.conf

3另一个解决方法是替换“admin”用户的现有 kubeconfig:

mv  $HOME/.kube $HOME/.kube.bak mkdir $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config

您需要确保使用正确的 kubeconfig,因为重新安装 Kubernetes 会创建一个新的证书。

在 setKubeconfig 选项中使用 $HOME/.kube/config,或者直接将其复制到你设置了 vs code 扩展以读取配置的路径。使用以下命令

cp $HOME/.kube/config /{{path-for-kubeconfig}}

解决此错误与服务器 172.31.58.39:6443 的连接被拒绝 - 您是否指定了正确的主机或端口?

尝试在主节点上执行以下步骤来解决您的问题

  1. sudo-i

  2. 交换-a

  3. 出口

  4. strace -eopenat kubectl 版本

另一个建议是使用 sudo systemctl restart containerd 重新启动容器。

相关内容