Red Hat Bugzilla – Bug 1275176
[RFE] allow setting certificate validity period
Last modified: 2017-08-16 15:51 EDT
Description of request: Currently all certificates in an OpenShift Enterprise v3 environment have a validity of 1 year which is not always appropriate for corporate environments, considering product maintenance throughout its lifetime. This request is to add a configuration to set validity during install, and to also add such an option to the "oadm ca" utility.
The trello card that is tracking this: https://trello.com/c/de9h5mA4/829-3-allow-configuration-of-expiration-date-for-generated-certs
(In reply to Evgheni Dereveanchin from comment #0) > This request is to add a configuration to set validity during install, and to > also add such an option to the "oadm ca" utility. "oadm ca" utility were modified to support --expire-days/--signer-expire-days options. For the installation, I believe, it's better to open a new request.
PR that allows to set certificates validity period during installation: https://github.com/openshift/openshift-ansible/pull/3581 Support for the following variables has been added: - openshift_hosted_registry_cert_expire_days - openshift_ca_cert_expire_days - openshift_node_cert_expire_days - openshift_master_cert_expire_days (this parameter also affects etcd's certificate in embedded mode) They will take in action only during installation OpenShift 1.5/3.5 (because they're depend on a new --expire-days/--signer-expire-days options).
Slava, will those new variables also be applied when redeploying certificates?
> Slava, will those new variables also be applied when redeploying certificates? Yes, they will.
Changes made in https://github.com/openshift/openshift-ansible/pull/3581 # CA, node and master certificate expiry openshift_ca_cert_expire_days=1825 openshift_node_cert_expire_days=730 openshift_master_cert_expire_days=730 # Registry certificate expiry openshift_hosted_registry_cert_expire_days=730 # Etcd CA, peer, server and client certificate expiry etcd_ca_default_days=1825
It's in 3.6.0 and in the current 3.5 errata too.
Verify this bug with openshift-ansible-3.6.133-1.git.0.950bb48.el7.noarch. 1. For fresh ocp-3.6 installation Set the following options in ansible inventory file openshift_ca_cert_expire_days=3650 #10 years openshift_node_cert_expire_days=1095 #3 years openshift_master_cert_expire_days=1460 #4 years openshift_hosted_registry_cert_expire_days=1825 #5 years etcd_ca_default_days=2920 #8 years After installation, check the validity date of the certs On master: [root@qe-gpei-etcd-sc-master-1 master]# pwd /etc/origin/master [root@qe-gpei-etcd-sc-master-1 master]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done admin.crt notBefore=Jul 5 02:50:01 2017 GMT notAfter=Jul 4 02:50:02 2021 GMT ca-bundle.crt notBefore=Jul 5 02:49:59 2017 GMT notAfter=Jul 3 02:50:00 2027 GMT ca.crt notBefore=Jul 5 02:49:59 2017 GMT notAfter=Jul 3 02:50:00 2027 GMT etcd.server.crt notBefore=Jul 5 02:50:02 2017 GMT notAfter=Jul 4 02:50:03 2021 GMT master.etcd-ca.crt notBefore=Jul 5 02:47:25 2017 GMT notAfter=Jul 3 02:47:25 2025 GMT master.etcd-client.crt notBefore=Jul 5 02:50:28 2017 GMT notAfter=Jul 3 02:50:28 2025 GMT master.kubelet-client.crt notBefore=Jul 5 02:50:01 2017 GMT notAfter=Jul 4 02:50:02 2021 GMT master.proxy-client.crt notBefore=Jul 5 02:50:02 2017 GMT notAfter=Jul 4 02:50:03 2021 GMT master.server.crt notBefore=Jul 5 02:50:01 2017 GMT notAfter=Jul 4 02:50:02 2021 GMT openshift-master.crt notBefore=Jul 5 02:50:00 2017 GMT notAfter=Jul 4 02:50:01 2021 GMT registry.crt notBefore=Jul 5 03:02:06 2017 GMT notAfter=Jul 4 03:02:07 2022 GMT service-signer.crt notBefore=Jul 5 02:50:00 2017 GMT notAfter=Jul 3 02:50:01 2027 GMT On node: [root@qe-gpei-etcd-sc-node-registry-router-1 node]# pwd /etc/origin/node [root@qe-gpei-etcd-sc-node-registry-router-1 node]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done ca.crt notBefore=Jul 5 02:49:59 2017 GMT notAfter=Jul 3 02:50:00 2027 GMT server.crt notBefore=Jul 5 02:56:43 2017 GMT notAfter=Jul 4 02:56:44 2020 GMT system:node:qe-gpei-etcd-sc-node-registry-router-1.crt notBefore=Jul 5 02:56:41 2017 GMT notAfter=Jul 4 02:56:42 2020 GMT On etcd: [root@qe-gpei-etcd-sc-etcd-1 etcd]# pwd /etc/etcd [root@qe-gpei-etcd-sc-etcd-1 etcd]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done ca.crt notBefore=Jul 5 02:47:25 2017 GMT notAfter=Jul 3 02:47:25 2025 GMT peer.crt notBefore=Jul 5 02:47:31 2017 GMT notAfter=Jul 3 02:47:31 2025 GMT server.crt notBefore=Jul 5 02:47:30 2017 GMT notAfter=Jul 3 02:47:30 2025 GMT The certs all have an expected validity date. 2. Run redeploy cert playbook against this env. change the expire days to 365 openshift_ca_cert_expire_days=365 openshift_node_cert_expire_days=365 openshift_master_cert_expire_days=365 openshift_hosted_registry_cert_expire_days=365 etcd_ca_default_days=365 Run the following cert redeploy playbooks: /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml After redeployment finished, check the validity date of the certs. On master: [root@qe-gpei-etcd-sc-master-1 master]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done admin.crt notBefore=Jul 5 07:58:24 2017 GMT notAfter=Jul 5 07:58:25 2018 GMT ca-bundle.crt notBefore=Jul 5 08:08:41 2017 GMT notAfter=Jul 5 08:08:42 2018 GMT ca.crt notBefore=Jul 5 08:08:41 2017 GMT notAfter=Jul 5 08:08:42 2018 GMT etcd.server.crt notBefore=Jul 5 07:58:23 2017 GMT notAfter=Jul 5 07:58:24 2018 GMT master.etcd-ca.crt notBefore=Jul 5 08:22:56 2017 GMT notAfter=Jul 5 08:22:56 2018 GMT master.etcd-client.crt notBefore=Jul 5 07:56:11 2017 GMT notAfter=Jul 3 07:56:11 2025 GMT master.kubelet-client.crt notBefore=Jul 5 07:58:23 2017 GMT notAfter=Jul 5 07:58:24 2018 GMT master.proxy-client.crt notBefore=Jul 5 07:58:22 2017 GMT notAfter=Jul 5 07:58:23 2018 GMT master.server.crt notBefore=Jul 5 07:58:22 2017 GMT notAfter=Jul 5 07:58:23 2018 GMT openshift-master.crt notBefore=Jul 5 07:58:23 2017 GMT notAfter=Jul 5 07:58:24 2018 GMT registry.crt notBefore=Jul 5 08:01:50 2017 GMT notAfter=Jul 5 08:01:51 2018 GMT service-signer.crt notBefore=Jul 5 07:58:22 2017 GMT notAfter=Jul 5 07:58:23 2018 GMT On node: [root@qe-gpei-etcd-sc-node-registry-router-1 node]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done ca.crt notBefore=Jul 5 08:08:41 2017 GMT notAfter=Jul 5 08:08:42 2018 GMT server.crt notBefore=Jul 5 07:59:02 2017 GMT notAfter=Jul 5 07:59:03 2018 GMT system:node:qe-gpei-etcd-sc-node-registry-router-1.crt notBefore=Jul 5 07:58:58 2017 GMT notAfter=Jul 5 07:58:59 2018 GMT On etcd: [root@qe-gpei-etcd-sc-etcd-1 etcd]# for i in `ls *.crt`; do echo $i && openssl x509 -in $i -dates -noout && echo ''; done ca.crt notBefore=Jul 5 08:22:56 2017 GMT notAfter=Jul 5 08:22:56 2018 GMT peer.crt notBefore=Jul 5 08:42:56 2017 GMT notAfter=Jul 5 08:42:56 2018 GMT server.crt notBefore=Jul 5 08:42:54 2017 GMT notAfter=Jul 5 08:42:54 2018 GMT The certs all have an expected validity date.
"qa_ack" flag is already set, clear "needinfo" flag
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716