Bug 1440309 - [3.4] Post-install, master certs signed for wrong name
Summary: [3.4] Post-install, master certs signed for wrong name
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.1
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 3.4.z
Assignee: Scott Dodson
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks: 1447398 1447399
TreeView+ depends on / blocked
 
Reported: 2017-04-07 21:05 UTC by Steven Walter
Modified: 2017-12-19 06:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In multi-master environments if ansible_host and openshift_hostname values differ and ansible sorts one of the lists differently from the other then the CA Host may be the first master but it was still signing the initial certificates with the hostnames of the first master. By ensuring that we use the hostnames of the CA Host when creating the certificate authority we ensure that the certificates are signed with the correct hostnames even if the two lists are sorted differently.
Clone Of:
: 1447398 1447399 (view as bug list)
Environment:
Last Closed: 2017-05-17 17:39:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1244 normal SHIPPED_LIVE Important: ansible and openshift-ansible security and bug fix update 2017-05-25 21:43:49 UTC

Description Steven Walter 2017-04-07 21:05:05 UTC
Description of problem:
After running install, the certs on one of 3 masters is signed for the wrong ip address (the ip address of a separate master)

Version-Release number of selected component (if applicable):
3.4

How reproducible:
Unconfirmed

Comment 6 Scott Dodson 2017-04-07 22:35:14 UTC
Proposed fix here https://github.com/openshift/openshift-ansible/pull/3885

Comment 11 Scott Dodson 2017-05-02 15:52:36 UTC
Example where ansible_host sorts differently from openshift_hostname, in this case oo_first_master will be master1 but openshift_ca will be master2 :

[masters]
master1  ansible_host=10.10.10.2 openshift_ip=10.10.10.2 openshift_public_ip=10.10.10.2 openshift_hostname=10.10.10.2 openshift_public_hostname=10.10.10.2
master2  ansible_host=10.10.10.1 openshift_ip=10.10.10.1 openshift_public_ip=10.10.10.1 openshift_hostname=10.10.10.1 openshift_public_hostname=10.10.10.1
master3  ansible_host=10.10.10.9 openshift_ip=10.10.10.9 openshift_public_ip=10.10.10.9 openshift_hostname=10.10.10.9 openshift_public_hostname=10.10.10.9

Comment 13 Gaoyun Pei 2017-05-08 10:27:39 UTC
Verify this bug with openshift-ansible-3.4.82-1.git.0.c78ff1c.el7, after installation, all masters' certs were signed with correct ip address.

Comment 15 errata-xmlrpc 2017-05-17 17:39:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1244


Note You need to log in before you can comment on or make changes to this bug.