Bug 1414542 - [3.3] Node certificate serials are not unique
Summary: [3.3] Node certificate serials are not unique
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: ---
Assignee: Andrew Butcher
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On: 1414537 1414570
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-18 19:23 UTC by Andrew Butcher
Modified: 2017-01-31 21:10 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1414537
Environment:
Last Closed: 2017-01-31 21:10:58 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0224 0 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix update 2017-02-01 02:10:09 UTC

Description Andrew Butcher 2017-01-18 19:23:59 UTC
+++ This bug was initially created as a clone of Bug #1414537 +++

Description of problem:

Node certificates created by openshift-ansible have duplicate serial numbers. This is a concern for ipsec encryption https://docs.openshift.com/container-platform/3.4/admin_guide/ipsec.html which requires that the certificate serials are unique.

Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-playbooks-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-roles-3.4.44-1.git.0.efa61c6.el7.noarch.rpm

How reproducible:
Always.

Steps to Reproduce:
1. Install multi-node cluster using openshift-ansible.
2. Check certificate serial numbers for node certificates.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

Actual results:
Node certificate serial numbers are not unique.

Expected results:
Node certificate serial numbers are unique.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=0F
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=10
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=13

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=11
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=14

Additional info:

Comment 2 Gaoyun Pei 2017-01-19 06:16:55 UTC
Verify this bug with openshift-ansible-3.3.59-1.git.0.43a30b1.el7.noarch.rpm

[root@ip-172-18-3-235 ~]# oc get node
NAME                           STATUS                     AGE
ip-172-18-1-93.ec2.internal    Ready                      3h
ip-172-18-2-46.ec2.internal    Ready                      3h
ip-172-18-3-235.ec2.internal   Ready,SchedulingDisabled   3h
ip-172-18-7-18.ec2.internal    Ready                      3h


Check certificate serial numbers for each node's certificates
[root@ip-172-18-3-235 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-3-235.ec2.internal.crt -serial -noout
serial=0B
[root@ip-172-18-3-235 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=0F


[root@ip-172-18-1-93 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-1-93.ec2.internal.crt -serial -noout
serial=0C
[root@ip-172-18-1-93 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=10


[root@ip-172-18-7-18 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-7-18.ec2.internal.crt -serial -noout
serial=0D
[root@ip-172-18-7-18 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=11


[root@ip-172-18-2-46 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-2-46.ec2.internal.crt -serial -noout
serial=0E
[root@ip-172-18-2-46 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12

Comment 4 errata-xmlrpc 2017-01-31 21:10:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0224


Note You need to log in before you can comment on or make changes to this bug.