# Common Cluster Issues

## The cluster details page prompts that the self-signed HTTPS certificate of ApiServer has expired


### What certificate has expired
The apiserver-loopback-client certificate, which is used for communication between management components (such as kube-scheduler and kube-controller-manager) and kube-apiserver on the same node. Certificate expiration will affect communication between management components, potentially causing issues such as inability to create Pods normally.

You can refer to [k8s community official explanation on this issue] (https://github.com/kubernetes/kubernetes/issues/86552)


### How to check the certificate
The apiserver-loopback-client certificate is stored in the memory of kube-apiserver, automatically generated when the service starts, and not written to a file.  The following is the method for viewing the certificate:

Log in **master node** to execute

```
curl --resolve apiserver-loopback-client:6443:127.0.0.1 -k -v https://apiserver-loopback-client:6443 2>&1| grep -i  'server certificate' -A5
```

### Solutions

Log into each master node one by one, and restart the `kube-apiserver` service (`systemctl restart kube-apiserver`). Restart will not affect online business. Notes:
1. There should be no business release, changes etc. during the restart.
2. Restart one by one. You cannot restart two or more masters at the same time.

> Managed UK8S users cannot restart apiserver by themselves. Please contact the UK8S team.