1440309 – [3.4] Post-install, master certs signed for wrong name

Bug 1440309 - [3.4] Post-install, master certs signed for wrong name

Summary: [3.4] Post-install, master certs signed for wrong name

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.4.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	3.4.z
Assignee:	Scott Dodson
QA Contact:	Gaoyun Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1447398 1447399
TreeView+	depends on / blocked

Reported:	2017-04-07 21:05 UTC by Steven Walter
Modified:	2017-12-19 06:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	In multi-master environments if ansible_host and openshift_hostname values differ and ansible sorts one of the lists differently from the other then the CA Host may be the first master but it was still signing the initial certificates with the hostnames of the first master. By ensuring that we use the hostnames of the CA Host when creating the certificate authority we ensure that the certificates are signed with the correct hostnames even if the two lists are sorted differently.
Clone Of:
Clones:	1447398 1447399 (view as bug list)
Environment:
Last Closed:	2017-05-17 17:39:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:1244	0	normal	SHIPPED_LIVE	Important: ansible and openshift-ansible security and bug fix update	2017-05-25 21:43:49 UTC

Description Steven Walter 2017-04-07 21:05:05 UTC

Description of problem:
After running install, the certs on one of 3 masters is signed for the wrong ip address (the ip address of a separate master)

Version-Release number of selected component (if applicable):
3.4

How reproducible:
Unconfirmed

Comment 6 Scott Dodson 2017-04-07 22:35:14 UTC

Proposed fix here https://github.com/openshift/openshift-ansible/pull/3885

Comment 11 Scott Dodson 2017-05-02 15:52:36 UTC

Example where ansible_host sorts differently from openshift_hostname, in this case oo_first_master will be master1 but openshift_ca will be master2 :

[masters]
master1  ansible_host=10.10.10.2 openshift_ip=10.10.10.2 openshift_public_ip=10.10.10.2 openshift_hostname=10.10.10.2 openshift_public_hostname=10.10.10.2
master2  ansible_host=10.10.10.1 openshift_ip=10.10.10.1 openshift_public_ip=10.10.10.1 openshift_hostname=10.10.10.1 openshift_public_hostname=10.10.10.1
master3  ansible_host=10.10.10.9 openshift_ip=10.10.10.9 openshift_public_ip=10.10.10.9 openshift_hostname=10.10.10.9 openshift_public_hostname=10.10.10.9

Comment 13 Gaoyun Pei 2017-05-08 10:27:39 UTC

Verify this bug with openshift-ansible-3.4.82-1.git.0.c78ff1c.el7, after installation, all masters' certs were signed with correct ip address.

Comment 15 errata-xmlrpc 2017-05-17 17:39:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1244

Note You need to log in before you can comment on or make changes to this bug.