title
k3OS

What can I do for when my 'certificate is not yet valid'?

This troubleshooting guide helps you eliminate the error of not having a valid HTTPS certificate.

Jeremy Theocharis
Jeremy Theocharis
What can I do for when my 'certificate is not yet valid'?
⚠️
Please note that k3OS is deprecated. We recommend switching to flatcar instead.

Sometimes, when executing certain commands on k3OS, you may encounter an error saying that the SSL certificate is not yet valid. This problem can occur if the system’s date and time are not properly configured, especially if you are in a restricted network that does not allow your device to retrieve the current date and time via Network Time Protocol (NTP). In this article, we will discuss two possible issues that can cause this problem and provide solutions for each.

Issue #1

While executing the command export VERIFY_CHECKSUM=false && curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 && chmod 700 get_helm.sh && ./get_helm.sh on k3OS you might get a error message like this:

curl: (60) SSL certificate problem: certificate is not yet valid
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Checking the time with date results in a timestamp from 2017. There are two possible solutions.

Possible solution #1: configure NTP

The time is not configured properly. It can happen that your NTP server is blocked (especially if you are inside a university network).

You can verify that by entering sudo ntpd -d -q -n -p 0.de.pool.ntp.org. If you get a result like this, then it is definitely blocked:

ntpd: '0.de.pool.ntp.org' is 62.141.38.38
ntpd: sending query to 62.141.38.38
Alarm clock
  1. We recommend using the NTP server from the local university or ask your system administrator.

For the RWTH Aachen / FH Aachen you can use sudo ntpd -d -q -n -p ntp1.rwth-aachen.de as specified here

Possible solution #2: set hardware clock via BIOS

  1. Go into the BIOS
  2. Set the hardware clock of the device manually.

Issue #2

k3OS reports errors, due to hardware date being in the past. (e.g., 01.01.2017).

Example: during startup the k3s certificates are generated. However, it is still using the hardware time. Even after setting the time manually with NTP, it wont let you connect with k3s as the certificates created during startup are not not valid anymore. Setting the time is not persisted during reboots.

Steps to Reproduce

  1. Install k3os, without updating BIOS clock
  2. Install UMH
  3. Helm will fail on Install step, due to outdated certificates.

Possible solution

  1. Load cloudinit with added ntp_servers on OS install. You can use the one at https://www.umh.app/development.yaml

Be careful: you need to host it on a HTTP server (not HTTPS) as you would get other certificate issues while fetching it.

Related Articles

Opinion: OPC UA is the Peak of All That Is Wrong in Manufacturing

Opinion: OPC UA is the Peak of All That Is Wrong in Manufacturing

Jeremy Theocharis
Jeremy Theocharis
The Unified Namespace as the strongest architectural proposal for Industry 4.0

The Unified Namespace as the strongest architectural proposal for Industry 4.0

Jeremy Theocharis
Jeremy Theocharis
Integrating the Unified Namespace into Your Enterprise Architecture: An Architect's Guide

Integrating the Unified Namespace into Your Enterprise Architecture: An Architect's Guide

Jeremy Theocharis
Jeremy Theocharis
The High Compression Deception: A Reality Check on Historians vs Open-Source Databases

The High Compression Deception: A Reality Check on Historians vs Open-Source Databases

Jeremy Theocharis
Jeremy Theocharis
Why designing your own IT / OT infrastructure is harder than you might think - 10 Pitfalls and how to avoid them

Why designing your own IT / OT infrastructure is harder than you might think - 10 Pitfalls and how to avoid them

Jeremy Theocharis
Jeremy Theocharis
Flatcar as the operating system of the Industrial IoT

Flatcar as the operating system of the Industrial IoT

Jeremy Theocharis
Jeremy Theocharis
Comparing MQTT Brokers for the Industrial IoT

Comparing MQTT Brokers for the Industrial IoT

Jeremy Theocharis
Jeremy Theocharis
The United Manufacturing Hub as Open-Source Historian

The United Manufacturing Hub as Open-Source Historian

Jeremy Theocharis
Jeremy Theocharis
Interview: Building Scalable and Secure IIoT Solutions Using Open Source

Interview: Building Scalable and Secure IIoT Solutions Using Open Source

Christian Proch
Table of Content

Stay up-to-date

Subscribe to the UMH Learning Hub Newsletter to receive the latest updates and gain early access to our blog posts.

Subscribe