Bug 1810420
Summary: | [4.3] "You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert" on FIPS enabled cluster after upgrade | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Maru Newby <mnewby> | |
Component: | service-ca | Assignee: | Maru Newby <mnewby> | |
Status: | CLOSED ERRATA | QA Contact: | scheng | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 4.3.0 | CC: | aos-bugs, juzhao, liyao, lmohanty, mfojtik, mnewby, slaznick, wking, wsun | |
Target Milestone: | --- | Keywords: | Regression, Upgrades | |
Target Release: | 4.3.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1810418 | |||
: | 1810421 (view as bug list) | Environment: | ||
Last Closed: | 2020-03-24 14:34:26 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1810418 | |||
Bug Blocks: | 1810421 |
Comment 1
Lalatendu Mohanty
2020-03-18 14:31:13 UTC
Who is impacted? All customers upgrading from to 4.3.5 that run workloads which use service-ca for certs. All customers that install fresh 4.3.5 cluster will be affected on rotation after 13 months if they don't upgrade. What is the impact? All workloads that use non-golang SSL network clients which use service-ca to communicate with platform or between each-other (eg. curl). How involved is remediation? Manual rotation of service-ca will fix the cluster for the next rotation (13 months). Is this a regression? Yes, this was introduced as part of the automated service-ca rotation and released on March 10 in 4.3.5. > All customers upgrading from to 4.3.5 that run workloads which use service-ca for certs.
s/from//
(In reply to Michal Fojtik from comment #2) > How involved is remediation? > Manual rotation of service-ca will fix the cluster for the next rotation > (13 months). Can you please add the step for manual workaround. It would be useful for CEE > Can you please add the step for manual workaround. It would be useful for CEE https://docs.openshift.com/container-platform/4.3/authentication/certificates/service-serving-certificate.html#manually-rotate-service-ca_service-serving-certificate Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0858 Removing UpgradeBlocker from this older bug, to remove it from the suspect queue described in [1]. If you feel like this bug still needs to be a suspect, please add keyword again. [1]: https://github.com/openshift/enhancements/pull/475 |