Bug 1275648

Summary: Tooling for certificate maintenance
Product: OpenShift Container Platform Reporter: Josep 'Pep' Turro Mauri <pep>
Component: RFEAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.0.0CC: adellape, aleksandar.lazic, aos-bugs, bleanhar, bvincell, clichybi, erich, fweimer, gpei, javier.ramirez, jdetiber, jkaur, jokerman, misalunk, mmccomas, pep, rhowe, stwalter
Target Milestone: ---Flags: jdetiber: needinfo-
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Administrators can now backup and redeploy cluster certificates using the following Ansible playbook: $ ansible-playbook -i <inventory_file> \ /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml By default, the playbook retains the current OpenShift Enterprise CA. To replace the CA with a generated or custom CA: $ ansible-playbook -i <inventory_file> \ /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml \ --extra-vars "openshift_certificates_redeploy_ca=true"
Story Points: ---
Clone Of:
: 1387719 (view as bug list) Environment:
Last Closed: 2016-08-18 19:27:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1267746, 1387719    

Description Josep 'Pep' Turro Mauri 2015-10-27 12:29:43 UTC
As a user I want to be able to fix common certificate errors:

* installer detected the wrong hostnames and the user caught it too late
* certificates are expired and we just want to update them.

This is a spin-off from bug 1269070 to track this additional functionality.

Upstream reference:
https://trello.com/c/NsT6f1HL/38-oo-install-support-for-redeploying-certificates

Comment 17 Javier Ramirez 2016-06-15 10:18:13 UTC
Do we have any update on this? Any estimate for the fix and/or any known workaround ?

Comment 18 Jaspreet Kaur 2016-06-15 11:15:52 UTC
Yes, 

Do we have any workaround as of now  if the certificates gets corrupted anyhow or we need to correct it.

Regards,
Jaspeeer

Comment 19 Brenton Leanhardt 2016-06-15 11:37:26 UTC
This is still planned for 3.3.  The card is in progress now.

Comment 20 Josep 'Pep' Turro Mauri 2016-06-15 11:52:55 UTC
While we wait for the automated tooling: there are some manual steps in upstream (Origin) docs about updating certificates:

https://docs.openshift.org/latest/install_config/upgrading/manual_upgrades.html#manual-updating-master-and-node-certificates

I'm not fully sure if they are complete/accurate for OSE, have not had time to review, but they should be at least a reference for the manual work involved.

Comment 25 Scott Dodson 2016-08-11 12:59:41 UTC
https://github.com/openshift/openshift-ansible/pull/1142 aims to address this.

Comment 27 Gaoyun Pei 2016-08-15 05:43:13 UTC
Verify this bug with openshift-ansible-3.2.22-1.git.0.7961a61.el7.noarch

1) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml'

The certificates of etcd/master/node would be backup and redeployed. CA files would be retained.


2) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml --extra-vars "openshift_certificates_redeploy_ca=true" '

The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and regenerated by openshift-ansible.


3) With the following options setting in ansible_inventory in addition:
openshift_master_ca_certificate={'certfile': '/root/custom_ca/ca.crt', 'keyfile': '/root/custom_ca/ca.key'}  
openshift_certificates_redeploy_ca=true 
run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml'

The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and deployed from the custom files.


In all the mentioned cases, etcd, masters and nodes are working well after certs redeployment. All the services are in normal status, nodes are available as before, sti-build testing is successful.

Comment 29 errata-xmlrpc 2016-08-18 19:27:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1639