Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1414570 - [3.2] Node certificate serials are not unique
Summary: [3.2] Node certificate serials are not unique
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.2.1
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: ---
Assignee: Andrew Butcher
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On: 1414537
Blocks: 1414542
TreeView+ depends on / blocked
 
Reported: 2017-01-18 21:10 UTC by Andrew Butcher
Modified: 2017-01-31 21:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1414537
Environment:
Last Closed: 2017-01-31 21:11:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0224 0 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix update 2017-02-01 02:10:09 UTC

Description Andrew Butcher 2017-01-18 21:10:28 UTC
+++ This bug was initially created as a clone of Bug #1414537 +++

Description of problem:

Node certificates created by openshift-ansible have duplicate serial numbers. This is a concern for ipsec encryption https://docs.openshift.com/container-platform/3.4/admin_guide/ipsec.html which requires that the certificate serials are unique.

Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-playbooks-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-roles-3.4.44-1.git.0.efa61c6.el7.noarch.rpm

How reproducible:
Always.

Steps to Reproduce:
1. Install multi-node cluster using openshift-ansible.
2. Check certificate serial numbers for node certificates.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

Actual results:
Node certificate serial numbers are not unique.

Expected results:
Node certificate serial numbers are unique.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=0F
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=10
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=13

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=11
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=14

Additional info:

Comment 2 Gaoyun Pei 2017-01-19 06:20:33 UTC
Verify this bug with openshift-ansible-3.2.47-1.git.0.34a924d.el7.noarch.rpm

oc[root@ip-172-18-8-209 ~]# oc get node
NAME                           STATUS                     AGE
ip-172-18-15-55.ec2.internal   Ready                      2h
ip-172-18-4-57.ec2.internal    Ready                      2h
ip-172-18-6-198.ec2.internal   Ready                      2h
ip-172-18-8-209.ec2.internal   Ready,SchedulingDisabled   2h


Check certificate serial numbers for each node's certificates

[root@ip-172-18-8-209 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-8-209.ec2.internal.crt -serial -noout
serial=0B
[root@ip-172-18-8-209 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=0F


[root@ip-172-18-4-57 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-4-57.ec2.internal.crt -serial -noout
serial=0E
[root@ip-172-18-4-57 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12


[root@ip-172-18-15-55 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-15-55.ec2.internal.crt -serial -noout
serial=0D
[root@ip-172-18-15-55 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=11


[root@ip-172-18-6-198 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-6-198.ec2.internal.crt -serial -noout
serial=0C
[root@ip-172-18-6-198 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=10

Comment 4 errata-xmlrpc 2017-01-31 21:11:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0224


Note You need to log in before you can comment on or make changes to this bug.