Getting a certificate error after applying config for initial controlplane machine.

[alexlebens]

Hello,

I am currently trying to bootstrap a new cluster using Raspberry Pi 4s with version 1.9.4. However after applying my initial config I am always getting the following error when trying to open the dashboard or use any other command:

error getting version: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-02-15T22:02:32-06:00 is after 1970-01-02T00:00:18Z"

I recognize that the date being near 1970 likely means something is wrong with time. I have used both pool.ntp.org and time.cloudflare.com, and have set this both in the config and my network device. My other devices also use time.cloudflare.com so I do not believe it's being blocked.

I have applied the config from my mac and a windows desktop, reinstalled talosctl, regenerated config multiple times. I have imaged the sdcard for the rpi using both dd and the rpi imaging tool. I have not yet used a prior version. The 3 rpis I am using have been part of a talos cluster before.

But I am not sure where to go from here. I have not found this error searching through issues or discussions. I do not have an easy way to get video access to monitor it locally. My remaining suspicions are there is either some issue with it syncing time properly, something is wrong when I generate config, or with my config.

I'm would not consider myself an expert, this is all for homelab/hobby use. I hope I am just overlooking something. I'll appreciate any help.

Config:

version: v1alpha1
debug: false
persist: true

machine:
    type: controlplane
    token: ""
    ca:
        crt: ""
        key: ""
    certSANs:
        - 10.232.1.11
        - 10.232.1.12
        - 10.232.1.13
    kubelet:
        image: ghcr.io/siderolabs/kubelet:v1.32.2
        defaultRuntimeSeccompProfileEnabled: true
        disableManifestsDirectory: true
        nodeIP:
          validSubnets:
              - 10.232.0.1/22
        extraArgs:
            rotate-server-certificates: true
    network:
        nameservers:
            - 10.232.1.51
            - 10.232.1.52
    install:
        disk: /dev/mmcblk0
        # https://factory.talos.dev/?arch=arm64&board=rpi_generic&cmdline-set=true&extensions=-&extensions=siderolabs%2Ftailscale&platform=metal&target=sbc&version=1.9.4
        image: factory.talos.dev/installer/04d4078b3c5d84c71491d9d7acfb48423098225eb2037448a56c0da12cf379a6:v1.9.4
        wipe: false
    features:
        rbac: true
        stableHostname: true
        apidCheckExtKeyUsage: true
        diskQuotaSupport: true
        kubePrism:
            enabled: true
            port: 7445
        hostDNS:
            enabled: true
            forwardKubeDNSToHost: true
    time:
        disabled: false
        servers:
            - time.cloudflare.com
        bootTimeout: 2m0s

cluster:
    id: ""
    secret: ""
    controlPlane:
        endpoint: https://cl01tl-api.<domain>:6443
    clusterName: cl01tl
    network:
        dnsDomain: cluster.local
        podSubnets:
            - 10.244.0.0/16
        serviceSubnets:
            - 10.96.0.0/12
        cni:
            name: none
    token: ""
    secretboxEncryptionSecret: ""
    ca:
        crt: ""
        key: ""
    aggregatorCA:
        crt: ""
        key: ""
    serviceAccount:
        key: ""
    apiServer:
        image: registry.k8s.io/kube-apiserver:v1.32.2
        extraArgs:
            enable-aggregator-routing: true
        certSANs:
            - 10.232.1.11
            - 10.232.1.12
            - 10.232.1.13
        disablePodSecurityPolicy: true
        admissionControl:
            - name: PodSecurity
              configuration:
                  apiVersion: pod-security.admission.config.k8s.io/v1alpha1
                  defaults:
                      audit: restricted
                      audit-version: latest
                      enforce: baseline
                      enforce-version: latest
                      warn: restricted
                      warn-version: latest
                  exemptions:
                      namespaces:
                          - kube-system
                      runtimeClasses: []
                      usernames: []
                  kind: PodSecurityConfiguration
        auditPolicy:
            apiVersion: audit.k8s.io/v1
            kind: Policy
            rules:
                - level: Metadata
    controllerManager:
        image: registry.k8s.io/kube-controller-manager:v1.32.2
    proxy:
        disabled: true
    scheduler:
        image: registry.k8s.io/kube-scheduler:v1.32.2
    discovery:
        enabled: true
        registries:
            kubernetes:
                disabled: true
    etcd:
        ca:
            crt: ""
            key: ""
        extraArgs:
            listen-metrics-urls: http://0.0.0.0:2381
        advertisedSubnets:
            - 10.232.0.1/22
    allowSchedulingOnControlPlanes: false

[alexlebens]

Small update: I have now installed with 1.8.4 and it does not have that error, but in the logs it has:

[talos] time query error with server "::" {"component": "controller-runtime", "controller": "time.SyncController", "error": "read udp [::1]:43151->[::1]:123: read: connection refused"}

[talos] time query error with server "::" {"component": "controller-runtime", "controller": "time.SyncController", "error": "read udp [::1]:60977->[::1]:123: read: connection refused"}

My assumption is that I have some issue with syncing time, and in 1.9 it generates certificates dependent on time.

I was using blocky as my dns, but swapped to using my network device. And now no longer receiving the error and it bootstrapped fine. So one of my blocking lists was blocking time severs?