As a user I want to be able to fix common certificate errors: * installer detected the wrong hostnames and the user caught it too late * certificates are expired and we just want to update them. This is a spin-off from bug 1269070 to track this additional functionality. Upstream reference: https://trello.com/c/NsT6f1HL/38-oo-install-support-for-redeploying-certificates
Do we have any update on this? Any estimate for the fix and/or any known workaround ?
Yes, Do we have any workaround as of now if the certificates gets corrupted anyhow or we need to correct it. Regards, Jaspeeer
This is still planned for 3.3. The card is in progress now.
While we wait for the automated tooling: there are some manual steps in upstream (Origin) docs about updating certificates: https://docs.openshift.org/latest/install_config/upgrading/manual_upgrades.html#manual-updating-master-and-node-certificates I'm not fully sure if they are complete/accurate for OSE, have not had time to review, but they should be at least a reference for the manual work involved.
https://github.com/openshift/openshift-ansible/pull/1142 aims to address this.
Verify this bug with openshift-ansible-3.2.22-1.git.0.7961a61.el7.noarch 1) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml' The certificates of etcd/master/node would be backup and redeployed. CA files would be retained. 2) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml --extra-vars "openshift_certificates_redeploy_ca=true" ' The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and regenerated by openshift-ansible. 3) With the following options setting in ansible_inventory in addition: openshift_master_ca_certificate={'certfile': '/root/custom_ca/ca.crt', 'keyfile': '/root/custom_ca/ca.key'} openshift_certificates_redeploy_ca=true run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml' The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and deployed from the custom files. In all the mentioned cases, etcd, masters and nodes are working well after certs redeployment. All the services are in normal status, nodes are available as before, sti-build testing is successful.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1639