dapr mtls renew-certificate -k --valid-until <days> --restart did not restart statefulsets/dapr-scheduler-server #1574
Description
-
dapr -v
CLI version: 1.16.5
Runtime version: n/a -
dapr mtls renew-certificate -k --valid-until --restart⌛ Starting certificate rotation
ℹ️ generating fresh certificates
ℹ️ Updating certifcates in your Kubernetes cluster
ℹ️ Dapr control plane version 1.16.3 detected in namespace dapr-system
✅ Certificate rotation is successful! Your new certicate is valid through Sat, 27 Nov 2026 03:27:23 UTC
ℹ️ Restarting statefulsets/dapr-placement-server..
ℹ️ Restarting deploy/dapr-sidecar-injector..
ℹ️ Restarting deploy/dapr-operator..
ℹ️ Restarting deploy/dapr-sentry..
✅ All control plane services have restarted successfully! -
kubectl rollout restart deploy/myapp
The sidecar cannot be started, error: Failed to connect to scheduler host: failed to watch scheduler hosts: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509svid: could not verify leaf certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cluster.local")" scope=dapr.runtime.scheduler.watchhosts type=log ver=1.16.3 -
After manually restarting statefulsets/dapr-scheduler-server, the sidecar started normally.