1615025 – master-api can't find named certificates

Bug 1615025 - master-api can't find named certificates

Summary: master-api can't find named certificates

Keywords:
Status:	CLOSED DUPLICATE of bug 1615026
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Scott Dodson
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-11 14:17 UTC by Borja Aranda
Modified:	2018-08-15 13:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-08-15 13:29:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Borja Aranda 2018-08-11 14:17:33 UTC

Description of problem:
After redeploy_certs.yaml with openshift_master_named_certificates set, the named certificates are stored in /etc/origin/master/named_certificates.

Once the named certs are placed in there, I configured the masters as in [0]

~~~
namedCertificates:
    - certFile: webconsole.crt
      keyFile: webconsole.key
      names:
        - "openshift.mordor.lab.rdu2.cee.redhat.com"
~~~

After a restart, api and controller can't find them:
~~~
servingInfo.namedCertificates[0].certFile: Invalid value: "/etc/origin/master/webconsole.crt": could not read file: stat /etc/origin/master/webconsole.crt: no such file or directory

servingInfo.namedCertificates[0].keyFile: Invalid value: "/etc/origin/master/webconsole.key": could not read file: stat /etc/origin/master/webconsole.key: no such file or directory
~~~

So, the obvious workaround which makes everything works is:
~~~
namedCertificates:
    - certFile: /etc/origin/master/named_certificates/webconsole.crt
      keyFile: /etc/origin/master/named_certificates/webconsole.key
      names:
        - "openshift.mordor.lab.rdu2.cee.redhat.com"
~~~

I'm not sure is this is a bug in the playbook, in the docs [0], or in how the master looks for the named certs [1].

Version-Release number of the following components:
openshift-ansible-3.10.21-1.git.0.6446011.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install a cluster with self-signed cert
2. redeploy_certs.yaml with openshift_master_named_certificates ponting to your custom certs
3. /etc/origin/master/named_certificates is created with the named certs in there
4. configure master-url as in [0]
5. restart api and controllers

References:

[0] https://docs.openshift.com/container-platform/3.10/install_config/certificate_customization.html#configuring-custom-certificates-lb
[1] https://github.com/openshift/origin/blob/0abb4285b8ead354f1d0186eae1c133269852fc9/pkg/cmd/server/apis/config/helpers.go#L52-L55

Comment 1 Scott Dodson 2018-08-15 13:29:02 UTC

This is just a permutation of Bug 1454478, root cause is that we're not updating master config with named certificates when running the re-deploy playbooks after changing the inventory inputs.

*** This bug has been marked as a duplicate of bug 1454478 ***

Comment 2 Scott Dodson 2018-08-15 13:42:52 UTC


*** This bug has been marked as a duplicate of bug 1615026 ***

Note You need to log in before you can comment on or make changes to this bug.