https://github.com/openshift/openshift-ansible/pull/4431

Test with openshift-ansible-3.2.58-1.git.0.f2dce3a.el7, redeploy CA playbook failed as:

PLAY [Validate configuration for rolling restart] ******************************

TASK [setup] *******************************************************************
fatal: [ec2-54-174-141-248.compute-1.amazonaws.com]: FAILED! => {"failed": true, "msg": "The conditional check '('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ \"/master/master.server.crt\"})) and ('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ \"/master/ca-bundle.crt\"}))' failed. The error was: 'list' object has no attribute 'get'"}
	to retry, use: --limit @/root/work/redeploy_cert/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.retry

https://github.com/openshift/openshift-ansible/pull/4465

Test with openshift-ansible-3.2.60-1.git.0.f082225.el7.noarch

When openshift certs expired, run openshift CA cert redeployment playbook
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml

Redeploy openshift CA playbook will skip restart master/node service since expired cert detected.

For redeploy etcd CA playbook, it's blocked by BZ#1463775 now, will verify it once BZ#1463775 fixed

Verify this bug with openshift-ansible-3.2.61-1.git.0.4bf0fd2.el7.noarch

When openshift certs expired, redeploy openshift CA cert
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml
Redeploy openshift CA playbook will update openshift CA cert and skip restart master/node service since expired cert detected. 

Redeploy etcd CA cert
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml
Redeploy openshift CA playbook will update etcd CA cert and skip restart etcd/master service since expired cert detected. 

Redeploy openshift certs next:
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml
This playbook will generate new certs and restart etcd/master/docker/node service.

Then all the certs were replaced by new certs, ocp env works well again.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1666