Bug 1275648 - Tooling for certificate maintenance
Tooling for certificate maintenance
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
3.0.0
x86_64 Linux
urgent Severity urgent
: ---
: ---
Assigned To: Andrew Butcher
Gaoyun Pei
:
Depends On:
Blocks: 1267746 1387719
  Show dependency treegraph
 
Reported: 2015-10-27 08:29 EDT by Josep 'Pep' Turro Mauri
Modified: 2016-10-21 12:12 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Administrators can now backup and redeploy cluster certificates using the following Ansible playbook: $ ansible-playbook -i <inventory_file> \ /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml By default, the playbook retains the current OpenShift Enterprise CA. To replace the CA with a generated or custom CA: $ ansible-playbook -i <inventory_file> \ /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml \ --extra-vars "openshift_certificates_redeploy_ca=true"
Story Points: ---
Clone Of:
: 1387719 (view as bug list)
Environment:
Last Closed: 2016-08-18 15:27:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
jdetiber: needinfo-


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1639 normal SHIPPED_LIVE OpenShift Enterprise atomic-openshift-utils bug fix and enhancement update 2016-08-18 19:26:45 EDT

  None (edit)
Description Josep 'Pep' Turro Mauri 2015-10-27 08:29:43 EDT
As a user I want to be able to fix common certificate errors:

* installer detected the wrong hostnames and the user caught it too late
* certificates are expired and we just want to update them.

This is a spin-off from bug 1269070 to track this additional functionality.

Upstream reference:
https://trello.com/c/NsT6f1HL/38-oo-install-support-for-redeploying-certificates
Comment 17 Javier Ramirez 2016-06-15 06:18:13 EDT
Do we have any update on this? Any estimate for the fix and/or any known workaround ?
Comment 18 Jaspreet Kaur 2016-06-15 07:15:52 EDT
Yes, 

Do we have any workaround as of now  if the certificates gets corrupted anyhow or we need to correct it.

Regards,
Jaspeeer
Comment 19 Brenton Leanhardt 2016-06-15 07:37:26 EDT
This is still planned for 3.3.  The card is in progress now.
Comment 20 Josep 'Pep' Turro Mauri 2016-06-15 07:52:55 EDT
While we wait for the automated tooling: there are some manual steps in upstream (Origin) docs about updating certificates:

https://docs.openshift.org/latest/install_config/upgrading/manual_upgrades.html#manual-updating-master-and-node-certificates

I'm not fully sure if they are complete/accurate for OSE, have not had time to review, but they should be at least a reference for the manual work involved.
Comment 25 Scott Dodson 2016-08-11 08:59:41 EDT
https://github.com/openshift/openshift-ansible/pull/1142 aims to address this.
Comment 27 Gaoyun Pei 2016-08-15 01:43:13 EDT
Verify this bug with openshift-ansible-3.2.22-1.git.0.7961a61.el7.noarch

1) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml'

The certificates of etcd/master/node would be backup and redeployed. CA files would be retained.


2) Run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml --extra-vars "openshift_certificates_redeploy_ca=true" '

The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and regenerated by openshift-ansible.


3) With the following options setting in ansible_inventory in addition:
openshift_master_ca_certificate={'certfile': '/root/custom_ca/ca.crt', 'keyfile': '/root/custom_ca/ca.key'}  
openshift_certificates_redeploy_ca=true 
run 'ansible-playbook -i ansible_inventory /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml'

The certificates of etcd/master/node would be backup and redeployed. CA files would also be removed and deployed from the custom files.


In all the mentioned cases, etcd, masters and nodes are working well after certs redeployment. All the services are in normal status, nodes are available as before, sti-build testing is successful.
Comment 29 errata-xmlrpc 2016-08-18 15:27:59 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1639

Note You need to log in before you can comment on or make changes to this bug.