Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1440309 - [3.4] Post-install, master certs signed for wrong name
[3.4] Post-install, master certs signed for wrong name
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.4.1
Unspecified Unspecified
unspecified Severity urgent
: ---
: 3.4.z
Assigned To: Scott Dodson
Gaoyun Pei
:
Depends On:
Blocks: 1447398 1447399
  Show dependency treegraph
 
Reported: 2017-04-07 17:05 EDT by Steven Walter
Modified: 2017-12-19 01:51 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In multi-master environments if ansible_host and openshift_hostname values differ and ansible sorts one of the lists differently from the other then the CA Host may be the first master but it was still signing the initial certificates with the hostnames of the first master. By ensuring that we use the hostnames of the CA Host when creating the certificate authority we ensure that the certificates are signed with the correct hostnames even if the two lists are sorted differently.
Story Points: ---
Clone Of:
: 1447398 1447399 (view as bug list)
Environment:
Last Closed: 2017-05-17 13:39:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1244 normal SHIPPED_LIVE Important: ansible and openshift-ansible security and bug fix update 2017-05-25 17:43:49 EDT

  None (edit)
Description Steven Walter 2017-04-07 17:05:05 EDT 
Description of problem:
After running install, the certs on one of 3 masters is signed for the wrong ip address (the ip address of a separate master)

Version-Release number of selected component (if applicable):
3.4

How reproducible:
Unconfirmed
Comment 6 Scott Dodson 2017-04-07 18:35:14 EDT 
Proposed fix here https://github.com/openshift/openshift-ansible/pull/3885
Comment 11 Scott Dodson 2017-05-02 11:52:36 EDT 
Example where ansible_host sorts differently from openshift_hostname, in this case oo_first_master will be master1 but openshift_ca will be master2 :

[masters]
master1  ansible_host=10.10.10.2 openshift_ip=10.10.10.2 openshift_public_ip=10.10.10.2 openshift_hostname=10.10.10.2 openshift_public_hostname=10.10.10.2
master2  ansible_host=10.10.10.1 openshift_ip=10.10.10.1 openshift_public_ip=10.10.10.1 openshift_hostname=10.10.10.1 openshift_public_hostname=10.10.10.1
master3  ansible_host=10.10.10.9 openshift_ip=10.10.10.9 openshift_public_ip=10.10.10.9 openshift_hostname=10.10.10.9 openshift_public_hostname=10.10.10.9
Comment 13 Gaoyun Pei 2017-05-08 06:27:39 EDT 
Verify this bug with openshift-ansible-3.4.82-1.git.0.c78ff1c.el7, after installation, all masters' certs were signed with correct ip address.
Comment 15 errata-xmlrpc 2017-05-17 13:39:21 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1244
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.