+++ This bug was initially created as a clone of Bug #1414537 +++ Description of problem: Node certificates created by openshift-ansible have duplicate serial numbers. This is a concern for ipsec encryption https://docs.openshift.com/container-platform/3.4/admin_guide/ipsec.html which requires that the certificate serials are unique. Version-Release number of selected component (if applicable): atomic-openshift-utils-3.4.44-1.git.0.efa61c6.el7.noarch.rpm openshift-ansible-3.4.44-1.git.0.efa61c6.el7.noarch.rpm openshift-ansible-playbooks-3.4.44-1.git.0.efa61c6.el7.noarch.rpm openshift-ansible-roles-3.4.44-1.git.0.efa61c6.el7.noarch.rpm How reproducible: Always. Steps to Reproduce: 1. Install multi-node cluster using openshift-ansible. 2. Check certificate serial numbers for node certificates. # openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout serial=14 # openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=15 # openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout serial=14 # openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=15 # openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout serial=14 # openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=15 Actual results: Node certificate serial numbers are not unique. Expected results: Node certificate serial numbers are unique. # openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout serial=0F # openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=12 # openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout serial=10 # openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=13 # openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout serial=11 # openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=14 Additional info:
Verify this bug with openshift-ansible-3.3.59-1.git.0.43a30b1.el7.noarch.rpm [root@ip-172-18-3-235 ~]# oc get node NAME STATUS AGE ip-172-18-1-93.ec2.internal Ready 3h ip-172-18-2-46.ec2.internal Ready 3h ip-172-18-3-235.ec2.internal Ready,SchedulingDisabled 3h ip-172-18-7-18.ec2.internal Ready 3h Check certificate serial numbers for each node's certificates [root@ip-172-18-3-235 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-3-235.ec2.internal.crt -serial -noout serial=0B [root@ip-172-18-3-235 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=0F [root@ip-172-18-1-93 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-1-93.ec2.internal.crt -serial -noout serial=0C [root@ip-172-18-1-93 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=10 [root@ip-172-18-7-18 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-7-18.ec2.internal.crt -serial -noout serial=0D [root@ip-172-18-7-18 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=11 [root@ip-172-18-2-46 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-2-46.ec2.internal.crt -serial -noout serial=0E [root@ip-172-18-2-46 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout serial=12
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0224