1414542 – [3.3] Node certificate serials are not unique

Bug 1414542 - [3.3] Node certificate serials are not unique

Summary: [3.3] Node certificate serials are not unique

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Andrew Butcher
QA Contact:	Gaoyun Pei
Docs Contact:
URL:
Whiteboard:
Depends On:	1414537 1414570
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-18 19:23 UTC by Andrew Butcher
Modified:	2017-01-31 21:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1414537
Environment:
Last Closed:	2017-01-31 21:10:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0224	0	normal	SHIPPED_LIVE	OpenShift Container Platform atomic-openshift-utils bug fix update	2017-02-01 02:10:09 UTC

Description Andrew Butcher 2017-01-18 19:23:59 UTC

+++ This bug was initially created as a clone of Bug #1414537 +++

Description of problem:

Node certificates created by openshift-ansible have duplicate serial numbers. This is a concern for ipsec encryption https://docs.openshift.com/container-platform/3.4/admin_guide/ipsec.html which requires that the certificate serials are unique.

Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-playbooks-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-roles-3.4.44-1.git.0.efa61c6.el7.noarch.rpm

How reproducible:
Always.

Steps to Reproduce:
1. Install multi-node cluster using openshift-ansible.
2. Check certificate serial numbers for node certificates.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

Actual results:
Node certificate serial numbers are not unique.

Expected results:
Node certificate serial numbers are unique.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=0F
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=10
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=13

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=11
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=14

Additional info:

Comment 2 Gaoyun Pei 2017-01-19 06:16:55 UTC

Verify this bug with openshift-ansible-3.3.59-1.git.0.43a30b1.el7.noarch.rpm

[root@ip-172-18-3-235 ~]# oc get node
NAME                           STATUS                     AGE
ip-172-18-1-93.ec2.internal    Ready                      3h
ip-172-18-2-46.ec2.internal    Ready                      3h
ip-172-18-3-235.ec2.internal   Ready,SchedulingDisabled   3h
ip-172-18-7-18.ec2.internal    Ready                      3h


Check certificate serial numbers for each node's certificates
[root@ip-172-18-3-235 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-3-235.ec2.internal.crt -serial -noout
serial=0B
[root@ip-172-18-3-235 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=0F


[root@ip-172-18-1-93 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-1-93.ec2.internal.crt -serial -noout
serial=0C
[root@ip-172-18-1-93 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=10


[root@ip-172-18-7-18 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-7-18.ec2.internal.crt -serial -noout
serial=0D
[root@ip-172-18-7-18 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=11


[root@ip-172-18-2-46 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-2-46.ec2.internal.crt -serial -noout
serial=0E
[root@ip-172-18-2-46 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12

Comment 4 errata-xmlrpc 2017-01-31 21:10:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0224

Note You need to log in before you can comment on or make changes to this bug.