Bug 1853250

Summary: The CA root certificate has validity longer than 2 years after tls rotation
Product: OpenShift Container Platform Reporter: hongyan li <hongyli>
Component: MonitoringAssignee: Sergiusz Urbaniak <surbania>
Status: CLOSED ERRATA QA Contact: hongyan li <hongyli>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, spasquie, surbania
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1853253 (view as bug list) Environment:
Last Closed: 2020-10-27 16:11:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1853253    

Description hongyan li 2020-07-02 09:09:38 UTC
Description of problem:
The CA root certificate has validity longer than 2 years after tls rotation


Version-Release number of selected component (if applicable):
 4.6.0-0.nightly-2020-06-30-020342

How reproducible:
Always

Steps to Reproduce:
1.Add the following annotation to secret grpc-tls to trigger tls rotation
 monitoring.openshift.io/grpc-tls-forced-rotate
2.check validity of root cat.crt, it's longer than 2 years
          Validity
           Not Before: Jul 2 02:34:15 2020 GMT
            Not After : Jul 2 08:16:39 2022 GMT

Actual results:


Expected results:


Additional info:

Comment 4 hongyan li 2020-07-27 08:45:44 UTC
verified with payload 4.6.0-0.nightly-2020-07-25-091217

execute the following command and get validity 
openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text

        Validity
            Not Before: Jul 26 23:29:29 2020 GMT
            Not After : Jul 26 23:29:30 2022 GMT


add annotations to secret grpc-tls to enable tls rotation
annotations:
     monitoring.openshift.io/grpc-tls-forced-rotate: "true"

execute the following command and get validity 
openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text

        Validity
            Not Before: Jul 27 08:40:59 2020 GMT
            Not After : Jul 27 08:41:00 2022 GMT

Comment 6 errata-xmlrpc 2020-10-27 16:11:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196