Bug 1275176

Summary: [RFE] allow setting certificate validity period
Product: OpenShift Container Platform Reporter: Evgheni Dereveanchin <ederevea>
Component: RFEAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: urgent Docs Contact:
Priority: high    
Version: 3.0.0CC: aos-bugs, erich, gpei, javier.ramirez, jialiu, jkaur, jokerman, mmccomas, myllynen, pep, sdodson, sjr, szobair, tkimura, vsemushi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
OpenShift Ansible now provides variables for controlling the OpenShift and etcd certificate validity period. # CA, node and master certificate expiry openshift_ca_cert_expire_days=1825 openshift_node_cert_expire_days=730 openshift_master_cert_expire_days=730 # Registry certificate expiry openshift_hosted_registry_cert_expire_days=730 # Etcd CA, peer, server and client certificate expiry etcd_ca_default_days=1825
 Story Points: ---
Clone Of:
: 1397958 (view as bug list) Environment:
Last Closed: 2017-08-10 05:15:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1267746, 1397958    

Description Evgheni Dereveanchin 2015-10-26 08:33:28 UTC 
Description of request:

Currently all certificates in an OpenShift Enterprise v3 environment have a validity of 1 year which is not always appropriate for corporate environments, considering product maintenance throughout its lifetime. This request is to add a configuration to set validity during install, and to also add such an option to the "oadm ca" utility.
Comment 6 Michal Fojtik 2016-11-08 16:16:41 UTC 
The trello card that is tracking this:

https://trello.com/c/de9h5mA4/829-3-allow-configuration-of-expiration-date-for-generated-certs
Comment 7 Slava Semushin 2017-02-10 14:50:11 UTC 
(In reply to Evgheni Dereveanchin from comment #0)
> This request is to add a configuration to set validity during install, and to
> also add such an option to the "oadm ca" utility.

"oadm ca" utility were modified to support --expire-days/--signer-expire-days options. For the installation, I believe, it's better to open a new request.
Comment 13 Slava Semushin 2017-03-09 17:07:22 UTC 
PR that allows to set certificates validity period during installation:
https://github.com/openshift/openshift-ansible/pull/3581

Support for the following variables has been added:
- openshift_hosted_registry_cert_expire_days
- openshift_ca_cert_expire_days
- openshift_node_cert_expire_days
- openshift_master_cert_expire_days (this parameter also affects etcd's certificate in embedded mode)

They will take in action only during installation OpenShift 1.5/3.5 (because they're depend on a new --expire-days/--signer-expire-days options).
Comment 16 Sergi Jimenez Romero 2017-03-14 08:37:16 UTC 
Slava, will those new variables also be applied when redeploying certificates?
Comment 17 Slava Semushin 2017-03-14 11:08:43 UTC 
> Slava, will those new variables also be applied when redeploying certificates?

Yes, they will.
Comment 19 Andrew Butcher 2017-05-30 18:26:52 UTC 
Changes made in https://github.com/openshift/openshift-ansible/pull/3581

# CA, node and master certificate expiry
openshift_ca_cert_expire_days=1825
openshift_node_cert_expire_days=730
openshift_master_cert_expire_days=730

# Registry certificate expiry
openshift_hosted_registry_cert_expire_days=730

# Etcd CA, peer, server and client certificate expiry
etcd_ca_default_days=1825
Comment 21 Scott Dodson 2017-06-29 00:31:53 UTC 
It's in 3.6.0 and in the current 3.5 errata too.
Comment 23 Gaoyun Pei 2017-07-05 10:18:43 UTC 
Verify this bug with openshift-ansible-3.6.133-1.git.0.950bb48.el7.noarch.

1. For fresh ocp-3.6 installation

Set the following options in ansible inventory file
openshift_ca_cert_expire_days=3650   #10 years
openshift_node_cert_expire_days=1095   #3 years 
openshift_master_cert_expire_days=1460    #4 years 
openshift_hosted_registry_cert_expire_days=1825  #5 years
etcd_ca_default_days=2920   #8 years

After installation, check the validity date of the certs

On master:
[root@qe-gpei-etcd-sc-master-1 master]# pwd
/etc/origin/master
[root@qe-gpei-etcd-sc-master-1 master]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done
admin.crt
notBefore=Jul  5 02:50:01 2017 GMT
notAfter=Jul  4 02:50:02 2021 GMT

ca-bundle.crt
notBefore=Jul  5 02:49:59 2017 GMT
notAfter=Jul  3 02:50:00 2027 GMT

ca.crt
notBefore=Jul  5 02:49:59 2017 GMT
notAfter=Jul  3 02:50:00 2027 GMT

etcd.server.crt
notBefore=Jul  5 02:50:02 2017 GMT
notAfter=Jul  4 02:50:03 2021 GMT

master.etcd-ca.crt
notBefore=Jul  5 02:47:25 2017 GMT
notAfter=Jul  3 02:47:25 2025 GMT

master.etcd-client.crt
notBefore=Jul  5 02:50:28 2017 GMT
notAfter=Jul  3 02:50:28 2025 GMT

master.kubelet-client.crt
notBefore=Jul  5 02:50:01 2017 GMT
notAfter=Jul  4 02:50:02 2021 GMT

master.proxy-client.crt
notBefore=Jul  5 02:50:02 2017 GMT
notAfter=Jul  4 02:50:03 2021 GMT

master.server.crt
notBefore=Jul  5 02:50:01 2017 GMT
notAfter=Jul  4 02:50:02 2021 GMT

openshift-master.crt
notBefore=Jul  5 02:50:00 2017 GMT
notAfter=Jul  4 02:50:01 2021 GMT

registry.crt
notBefore=Jul  5 03:02:06 2017 GMT
notAfter=Jul  4 03:02:07 2022 GMT

service-signer.crt
notBefore=Jul  5 02:50:00 2017 GMT
notAfter=Jul  3 02:50:01 2027 GMT


On node:
[root@qe-gpei-etcd-sc-node-registry-router-1 node]# pwd
/etc/origin/node
[root@qe-gpei-etcd-sc-node-registry-router-1 node]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done
ca.crt
notBefore=Jul  5 02:49:59 2017 GMT
notAfter=Jul  3 02:50:00 2027 GMT

server.crt
notBefore=Jul  5 02:56:43 2017 GMT
notAfter=Jul  4 02:56:44 2020 GMT

system:node:qe-gpei-etcd-sc-node-registry-router-1.crt
notBefore=Jul  5 02:56:41 2017 GMT
notAfter=Jul  4 02:56:42 2020 GMT


On etcd:
[root@qe-gpei-etcd-sc-etcd-1 etcd]# pwd
/etc/etcd
[root@qe-gpei-etcd-sc-etcd-1 etcd]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done
ca.crt
notBefore=Jul  5 02:47:25 2017 GMT
notAfter=Jul  3 02:47:25 2025 GMT

peer.crt
notBefore=Jul  5 02:47:31 2017 GMT
notAfter=Jul  3 02:47:31 2025 GMT

server.crt
notBefore=Jul  5 02:47:30 2017 GMT
notAfter=Jul  3 02:47:30 2025 GMT


The certs all have an expected validity date.


2. Run redeploy cert playbook against this env.
change the expire days to 365
openshift_ca_cert_expire_days=365
openshift_node_cert_expire_days=365
openshift_master_cert_expire_days=365
openshift_hosted_registry_cert_expire_days=365
etcd_ca_default_days=365

Run the following cert redeploy playbooks:
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml
/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml

After redeployment finished, check the validity date of the certs.

On master:
[root@qe-gpei-etcd-sc-master-1 master]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done
admin.crt
notBefore=Jul  5 07:58:24 2017 GMT
notAfter=Jul  5 07:58:25 2018 GMT

ca-bundle.crt
notBefore=Jul  5 08:08:41 2017 GMT
notAfter=Jul  5 08:08:42 2018 GMT

ca.crt
notBefore=Jul  5 08:08:41 2017 GMT
notAfter=Jul  5 08:08:42 2018 GMT

etcd.server.crt
notBefore=Jul  5 07:58:23 2017 GMT
notAfter=Jul  5 07:58:24 2018 GMT

master.etcd-ca.crt
notBefore=Jul  5 08:22:56 2017 GMT
notAfter=Jul  5 08:22:56 2018 GMT

master.etcd-client.crt
notBefore=Jul  5 07:56:11 2017 GMT
notAfter=Jul  3 07:56:11 2025 GMT

master.kubelet-client.crt
notBefore=Jul  5 07:58:23 2017 GMT
notAfter=Jul  5 07:58:24 2018 GMT

master.proxy-client.crt
notBefore=Jul  5 07:58:22 2017 GMT
notAfter=Jul  5 07:58:23 2018 GMT

master.server.crt
notBefore=Jul  5 07:58:22 2017 GMT
notAfter=Jul  5 07:58:23 2018 GMT

openshift-master.crt
notBefore=Jul  5 07:58:23 2017 GMT
notAfter=Jul  5 07:58:24 2018 GMT

registry.crt
notBefore=Jul  5 08:01:50 2017 GMT
notAfter=Jul  5 08:01:51 2018 GMT

service-signer.crt
notBefore=Jul  5 07:58:22 2017 GMT
notAfter=Jul  5 07:58:23 2018 GMT

On node:
[root@qe-gpei-etcd-sc-node-registry-router-1 node]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done
ca.crt
notBefore=Jul  5 08:08:41 2017 GMT
notAfter=Jul  5 08:08:42 2018 GMT

server.crt
notBefore=Jul  5 07:59:02 2017 GMT
notAfter=Jul  5 07:59:03 2018 GMT

system:node:qe-gpei-etcd-sc-node-registry-router-1.crt
notBefore=Jul  5 07:58:58 2017 GMT
notAfter=Jul  5 07:58:59 2018 GMT


On etcd:
[root@qe-gpei-etcd-sc-etcd-1 etcd]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done
ca.crt
notBefore=Jul  5 08:22:56 2017 GMT
notAfter=Jul  5 08:22:56 2018 GMT

peer.crt
notBefore=Jul  5 08:42:56 2017 GMT
notAfter=Jul  5 08:42:56 2018 GMT

server.crt
notBefore=Jul  5 08:42:54 2017 GMT
notAfter=Jul  5 08:42:54 2018 GMT

The certs all have an expected validity date.
Comment 24 Johnny Liu 2017-07-17 11:13:54 UTC 
"qa_ack" flag is already set, clear "needinfo" flag
Comment 26 errata-xmlrpc 2017-08-10 05:15:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716