I finished the challenge, but had to get some help on troubleshooting the api-server issue.
What I still don’t understand is, how do you figure out that the --client-ca-file value is wrong? Or do you just go through the whole config file and check if all the parameters are correct?
I didn’t see any errors anywhere that indicated an issue with the certificate.
Hi @steven001
Inspecting the arguments manually is one way, however the API server will have logged the issue as it crashes.
Here’s how to debug API server not starting:
# How to Diagnose a Crashed API Server
The API server pod won't come back up - HELP :scream: :scream: :scream:
Perhaps you've made a manifest edit, or perhaps some question has put you into a context where the API server is already broken. You're using `docker ps` or `crictl ps` and see the API server flash up briefly then go away. The container doesn't last long enough for you to grab an ID to pull logs from. Or maybe it never appears in the `ps` output.
Note that these techniques can be used for the other static pods like `etcd` by looking for `etcd` instead of `apiserver` in the commands below.
Steps to take
1. Restart `kubelet` so you don't have to wait too long in the following steps</br></br>
```
systemctl restart kubelet
```
1. Determine if the kubelet can even start the API server</br></br>
If there is a syntax error in the YAML manifest, then kubelet will not be able to parse it and will eventually complain. Do the following and watch the output for up to 60 seconds. Note that if you have errors in your pod manifest, kubelet will report them exactly the same way using the [same kind of error messages](./yaml-faq.md#dealing-with-errors) that kubectl does!
```
journalctl -fu kubelet | grep apiserver
show original
1 Like