Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1414570

Summary: [3.2] Node certificate serials are not unique
Product: OpenShift Container Platform Reporter: Andrew Butcher <abutcher>
Component: InstallerAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 3.2.1CC: aos-bugs, jialiu, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1414537 Environment:
Last Closed: 2017-01-31 21:11:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1414537    
Bug Blocks: 1414542    

Description Andrew Butcher 2017-01-18 21:10:28 UTC 
+++ This bug was initially created as a clone of Bug #1414537 +++

Description of problem:

Node certificates created by openshift-ansible have duplicate serial numbers. This is a concern for ipsec encryption https://docs.openshift.com/container-platform/3.4/admin_guide/ipsec.html which requires that the certificate serials are unique.

Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-playbooks-3.4.44-1.git.0.efa61c6.el7.noarch.rpm
openshift-ansible-roles-3.4.44-1.git.0.efa61c6.el7.noarch.rpm

How reproducible:
Always.

Steps to Reproduce:
1. Install multi-node cluster using openshift-ansible.
2. Check certificate serial numbers for node certificates.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=14
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=15

Actual results:
Node certificate serial numbers are not unique.

Expected results:
Node certificate serial numbers are unique.

# openssl x509 -in /etc/origin/node/system\:node\:node1.example.com.crt -serial -noout
serial=0F
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12

# openssl x509 -in /etc/origin/node/system\:node\:node2.example.com.crt -serial -noout
serial=10
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=13

# openssl x509 -in /etc/origin/node/system\:node\:node3.example.com.crt -serial -noout
serial=11
# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=14

Additional info:
Comment 2 Gaoyun Pei 2017-01-19 06:20:33 UTC 
Verify this bug with openshift-ansible-3.2.47-1.git.0.34a924d.el7.noarch.rpm

oc[root@ip-172-18-8-209 ~]# oc get node
NAME                           STATUS                     AGE
ip-172-18-15-55.ec2.internal   Ready                      2h
ip-172-18-4-57.ec2.internal    Ready                      2h
ip-172-18-6-198.ec2.internal   Ready                      2h
ip-172-18-8-209.ec2.internal   Ready,SchedulingDisabled   2h


Check certificate serial numbers for each node's certificates

[root@ip-172-18-8-209 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-8-209.ec2.internal.crt -serial -noout
serial=0B
[root@ip-172-18-8-209 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=0F


[root@ip-172-18-4-57 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-4-57.ec2.internal.crt -serial -noout
serial=0E
[root@ip-172-18-4-57 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=12


[root@ip-172-18-15-55 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-15-55.ec2.internal.crt -serial -noout
serial=0D
[root@ip-172-18-15-55 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=11


[root@ip-172-18-6-198 ~]# openssl x509 -in /etc/origin/node/system\:node\:ip-172-18-6-198.ec2.internal.crt -serial -noout
serial=0C
[root@ip-172-18-6-198 ~]# openssl x509 -in /etc/origin/node/server.crt -serial -noout
serial=10
Comment 4 errata-xmlrpc 2017-01-31 21:11:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0224