OKD 4.20 certificate problem

[mashraf987]

i have installed OKD 4.20 on 3 master's and 2 workers
but after installing i found the certificate validate for 1 day, now i can't renew it or reinstall it with custom certificate, so please if anyone can help i appreciated.
[root@okd-services ]# export KUBECONFIG=/install_dir/auth/kubeconfig
[root@okd-services ~]# oc get nodes
Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-apiserver-lb-signer")
[root@okd-services ~]# oc --insecure-skip-tls-verify=true --kubeconfig=/root/install_dir/install_dir/auth/kubeconfig get nodes
NAME STATUS ROLES AGE VERSION
master1 Ready control-plane,master 110m v1.33.2
master2 Ready control-plane,master 110m v1.33.2
master3 Ready control-plane,master 110m v1.33.2

[root@okd-services install_dir]# oc --insecure-skip-tls-verify=true --kubeconfig=/root/install_dir/install_dir/auth/kubeconfig get secret -n openshift-kube-apiserver-operator loadbalancer-serving-signer -o jsonpath='{.data.tls.crt}' | base64 -d | openssl x509 -noout -dates notBefore=Oct 20 11:03:10 2025 GMT notAfter=Oct 18 11:03:10 2035 GMT [root@okd-services install_dir]#

[titou10titou10]

The certificates used for install are valid for 24h from the time the ignition files are generated. So you have 24h- to install the cluster or regenerate the ignition files
Depending on the way you install, you may have to manually approve certs:

oc get csr
oc adm certificate approve...

Ref: 24 hour

Important

The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrapper certificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
Consider using Ignition config files within 12 hours after they are generated, because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.

After install, you have to keep your cluster running for 24h+ so the certificates are rotated/renewed and everything is fine.
Are you in this situation?