# Certificate Generation Fails Since Host CA Validity Is Less Than The Amount Of TTL With Which Certif

## Problem

Facing issues with node converging to the cluster resulting in complete outage the nodes which are rebooted/stack restarted.

{% tabs %}
{% tab title="Nodelet log" %}

```javascript
[2022-03-21 17:47:05] KeyError: 'data'
[2022-03-21 17:47:05] Error loading file /tmp/authbs-certs.tTAf/flannel/etcd/ca.crt
[2022-03-21 17:47:05] Certificate is not signed by CA
[2022-03-21 17:47:05] Cert missed in this round: flannel/etcd
[2022-03-21 17:47:05] Retrying again internally
```

{% endtab %}
{% endtabs %}

{% tabs %}
{% tab title="Host CA cert expiry info" %}

```javascript
/tmp/authbs-certs.NqWH/admin# cat request.json
{"errors":["cannot satisfy request, as TTL would result in notAfter 2025-03-20T17:52:08.088914479Z that is beyond the expiration of the CA certificate at 2025-03-02T13:59:50Z"]}

/tmp/authbs-certs.NqWH/admin# pwd
/tmp/authbs-certs.NqWH/admin
```

{% endtab %}
{% endtabs %}

Error seen while onboarding node:

{% tabs %}
{% tab title="While executing prep-node" %}

```javascript
2023-09-28T04:44:29.8181Z DEBUG Unable to prep node: Error: Unable to install hostagent. error while running installer script: HOST_CERTS_SCRIPT_FAILED

/opt/pf9/hostagent/bin/host-certs.py\", line 113, in <module><br> sys.exit(main())<br> File \"/opt/pf9/hostagent/bin/host-certs.py\", line 110, in main<br> return args.func(args)<br> File \"/opt/pf9/hostagent/bin/host-certs.py\", line 31, in _refresh<br> cert, ca = vouch.sign_csr(csr, args.common_name)<br> File \"/opt/pf9/hostagent/lib/python3.9/site-packages/bbslave/certs.py\", line 72, in sign_csr<br> resp.raise_for_status()<br> File \"/opt/pf9/hostagent/lib/python3.9/site-packages/requests/models.py\", line 1021, in raise_for_status<br> raise HTTPError(http_error_msg, response=self)<br>requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://DU-FQDN/vouch/v1/sign/cert<br>"}
```

{% endtab %}
{% endtabs %}

## Environment

* Platform9 Managed Kubernetes - v5.6 and Higher.

## Solution

This is a know issue, and is resolved in the PMK version in v5.6.9, v5.7.3 and 5.9.1.

## Additional Information

If the issue is observed in any of the unsupported PMK versions, please open a support ticket mentioning the related jira PMK-4582.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://platform9.com/kb/pmk/frequently-asked-questions/certificate-generation-fails-since-host-ca-validity-is-less-than.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.