Bug 1853250
| Summary: | The CA root certificate has validity longer than 2 years after tls rotation | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | hongyan li <hongyli> | |
| Component: | Monitoring | Assignee: | Sergiusz Urbaniak <surbania> | |
| Status: | CLOSED ERRATA | QA Contact: | hongyan li <hongyli> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 4.6 | CC: | alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, spasquie, surbania | |
| Target Milestone: | --- | |||
| Target Release: | 4.6.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1853253 (view as bug list) | Environment: | ||
| Last Closed: | 2020-10-27 16:11:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1853253 | |||
verified with payload 4.6.0-0.nightly-2020-07-25-091217
execute the following command and get validity
openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text
Validity
Not Before: Jul 26 23:29:29 2020 GMT
Not After : Jul 26 23:29:30 2022 GMT
add annotations to secret grpc-tls to enable tls rotation
annotations:
monitoring.openshift.io/grpc-tls-forced-rotate: "true"
execute the following command and get validity
openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text
Validity
Not Before: Jul 27 08:40:59 2020 GMT
Not After : Jul 27 08:41:00 2022 GMT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Description of problem: The CA root certificate has validity longer than 2 years after tls rotation Version-Release number of selected component (if applicable): 4.6.0-0.nightly-2020-06-30-020342 How reproducible: Always Steps to Reproduce: 1.Add the following annotation to secret grpc-tls to trigger tls rotation monitoring.openshift.io/grpc-tls-forced-rotate 2.check validity of root cat.crt, it's longer than 2 years Validity Not Before: Jul 2 02:34:15 2020 GMT Not After : Jul 2 08:16:39 2022 GMT Actual results: Expected results: Additional info: