Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1391548 - Increase default CA lifetime (advanced installation)(https://github.com/openshift/openshift-ansible/pull/2703)
Increase default CA lifetime (advanced installation)(https://github.com/opens...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.3.0
Unspecified Unspecified
medium Severity medium
: ---
: 3.3.1
Assigned To: Andrew Butcher
Gaoyun Pei
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-03 10:14 EDT by Miheer Salunke
Modified: 2016-11-15 14:10 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously the etcd certificate authority created by the installer had an expiry date one year in the future. This has been updated to five years matching the lifespan of other certificate authorities created by the installer.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-15 14:10:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2778 normal SHIPPED_LIVE Moderate: atomic-openshift-utils security and bug fix update 2016-11-15 19:08:29 EST

  None (edit)
Description Miheer Salunke 2016-11-03 10:14:54 EDT 
1. Proposed title of this feature request

Increase default CA lifetime (advanced installation)



3. What is the nature and description of the request?
The etcd and OpenShift internal CAs currently expire after 1 and 5 years respectively.  This is extremely short for CAs for a product which is expected to up upgraded over time rather than replaced.  When CAs expire all certificates need to be replaced and the new CA must be distributed to all hosts and trusted.  When a signed certificate expires you only need to update it server side.

4. Why does the customer need this?
Reduce the risk and impact of downtime from expired certificates.

5. How would the customer like to achieve this?
- Increased default expiry
- Configurable setting

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
- Rerun "config" playbooks with setting to replace all the certificates

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
https://github.com/openshift/openshift-ansible/pull/2703

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
Before the current certificates expire... (9 months)

9. Is the sales team involved in this request and do they have any additional input?
No

10. List any affected packages or components. 
openshift-ansible

11. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 5 Scott Dodson 2016-11-04 11:20:25 EDT 
ETCD CA 5yr lifespan in https://github.com/openshift/openshift-ansible/pull/2725
Comment 8 Gaoyun Pei 2016-11-08 03:59:44 EST 
Install an ocp-3.3 env with openshift-ansible-3.3.46-1.git.0.2558730.el7.noarch.rpm, check all the cert files under /etc/etcd/ directory, all the certs have 5 year lifetime now.

ca.crt
        Validity
            Not Before: Nov  8 07:32:42 2016 GMT
            Not After : Nov  7 07:32:42 2021 GMT
        Subject: CN=etcd-signer@1478590271
peer.crt
        Validity
            Not Before: Nov  8 07:33:00 2016 GMT
            Not After : Nov  7 07:33:00 2021 GMT
        Subject: CN=master-registry-etcd-1
server.crt
        Validity
            Not Before: Nov  8 07:32:57 2016 GMT
            Not After : Nov  7 07:32:57 2021 GMT
        Subject: CN=master-registry-etcd-1
Comment 9 errata-xmlrpc 2016-11-15 14:10:58 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:2778
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.