Bug 1752517 - openshift-ansible: openshift-logging/redeploy-certificates.yml failed to set new certificate in kibana route
Summary: openshift-ansible: openshift-logging/redeploy-certificates.yml failed to set ...
Keywords:
Status: CLOSED DUPLICATE of bug 1739229
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Noriko Hosoi
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-16 13:54 UTC by German Parente
Modified: 2019-09-18 08:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-18 08:46:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
redeploy certs logs (851.64 KB, text/plain)
2019-09-17 21:37 UTC, German Parente 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4420271 0 None None None 2019-09-17 14:30:27 UTC

Description German Parente 2019-09-16 13:54:01 UTC 
Description of problem:

when we do a redeploy certificates for logging component and the namespace is not "openshift-logging", the kibana route destinationCA is not replaced by the renewed certificate.



Version-Release number of selected component (if applicable): openshift-ansible 3.11.135



How reproducible:

- deploy logging in a different namespace, using:

openshift_logging_install_logging=true
_logging_namespace=logging
openshift_logging_elasticsearch_namespace=logging
openshift_logging_kibana_namespace=logging
openshift_logging_curator_namespace=logging
openshift_logging_fluentd_namespace=logging

redeploy certificates.

Check kibana service re deployed ca:

 oc get svc logging-kibana
NAME             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
logging-kibana   ClusterIP   172.30.135.102   <none>        443/TCP   3h

openssl s_client -connect 172.30.135.102:443 -showcerts

 1 s:/CN=logging-signer-test
   i:/CN=logging-signer-test
-----BEGIN CERTIFICATE-----
MIIC2jCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNsb2dn
aW5nLXNpZ25lci10ZXN0MB4XDTE5MDkxNjEwNDI1N1oXDTI0MDkxNDEwNDI1OFow
HjEcMBoGA1UEAxMTbG9nZ2luZy1zaWduZXItdGVzdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAM93K93bweZwYCZlwHWrAWt76F0xxX68sRPVjqaURYDY
YEL1ZKolVDRCBRLU7ws7BDOkJuDwXMyt7ZZ9H0U1d7VQv6kiOUcI9g4V5XgmYBlQ
KC18/jRGxBEY3ieQ+1AxdmD7XXdzwvlQMMhd4K+k/3MMakn1qSvei4xrNyRU/Lka
RlCUFXxeF/dUf613dYMuqCVp/4K+blUGjbg51zBK43ci1S66X/ikm915dleT/XrH
ComcyaNNRCJtSAgULhbOfQVDGqK0gYs79jJ/8crQ4am++B6mhzF5+bGm+NNG42v4
AbRMlkVpMVQQRbQi4tGbCBGxvFnPx/8vLoXAs8h9TqcCAwEAAaMjMCEwDgYDVR0P
AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAB9p
tQYk3kpdAcPplioJxz3XlxBlaUITInIZHdPN9WF6HT1Ht+t5+AXY5VHu0ZdIgjvR
vcdZNqfbfJcrIoYBZ/vWKyNXI11xIfHRnk8DKd5xgMW7/2PAph5xP4Hca+Wcz7Kx
h5RoSKBJ73hn1Ntt41uWylSUwvCjzBPXN8JaN61C3Zi0OIP5qI3WOYjNRtkGjm2+
gzqHjziGNDwtFdRmgqi4aZZihks9NAGQtqeFO7nvSyHAWVHxDgXlg1ZjDK9TWJ20
aYNM4EMQin4KQaoN1C0vMSDTYQQoUG5OV82Fui6lLUjCT0x86AiTuKrmR/0pO3Ia
zXEc5ZJL9x6b4pPQDbs=
-----END CERTIFICATE-----

openssl x509 -in <former cert> -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=logging-signer-test
        Validity
            Not Before: Sep 16 10:42:57 2019 GMT
            Not After : Sep 14 10:42:58 2024 GMT
        Subject: CN=logging-signer-test


oc get route logging-kibana -o yaml | grep destinationCA -A18
      destinationCACertificate: |
        -----BEGIN CERTIFICATE-----
        MIIC2jCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNsb2dn
        aW5nLXNpZ25lci10ZXN0MB4XDTE5MDgyODA5NTkzNFoXDTI0MDgyNjA5NTkzNVow
        HjEcMBoGA1UEAxMTbG9nZ2luZy1zaWduZXItdGVzdDCCASIwDQYJKoZIhvcNAQEB
        BQADggEPADCCAQoCggEBANayCriQpILy3tHKgfWnEppsjPjjPG4J/1SWFzzw8ley
        5oeuaKzisoaifjmN8Cu61drxyXhYs3evX0mWkeNKBUcjSx00UuapwhW/RHtf+W45
        mRzwNSXut6SibNCkZOi3tFNqwK8vr6BetP4FgMOyX+11tKgNAnko5LFaZMT2sUdm
        SL4QuuaLVK/3B8pg6XxeeqmocOkJg5NbZiscXVQx6G2GhMnmvSjks3m5dQ4f+NJS
        libmWNS2RlX4drKPN17L9olbEPENjJ3pPZaHBadnbbw+6N+VBFGSMYUdSzrw7iET
        JR01IEm/vNNtiTnzMkILDHbzGDEqEHIL+40tHh+a67kCAwEAAaMjMCEwDgYDVR0P
        AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALxc
        Hh6O8y3+j2RIZW8VyqhP5TfCV3/YoGpOzYFmpieXlKPtZcEEwGDe+MVFjJpG+GxE
        WhCnwQ6JdnYzGOEmQtINmgUurqamL+QQdNudAhXnLQOnotXlGZ2/nE7UO5oFE8bZ
        ++GrPrJDtreLpJN2laWByMPl9B/cNoal0o+MoB2gWaUEttXUBHgpoOOeXZQzyhkd
        vyNmHI4UdezF/cAgYROyZ7qH2nxS2Y2pE91CvGckGLuXyOmGcYyY5IQujBByqsPs
        qxVyLl/1mtQ9TID3091YT8H3AMibHwHMy7J3guIcMEwO4V9vJ54LFXt5wiHbd/mn
        BYnsZDSJQDG8sM2L7Yo=
        -----END CERTIFICATE-----

openssl x509 -in /tmp/routekibana -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=logging-signer-test
        Validity
            Not Before: Aug 28 09:59:34 2019 GMT
            Not After : Aug 26 09:59:35 2024 GMT
        Subject: CN=logging-signer-test


Workaround:

edit route and replace destinationCACertificate by the redeployed one.
Comment 6 German Parente 2019-09-17 21:37:23 UTC 
Created attachment 1616008 [details]
redeploy certs logs
Note You need to log in before you can comment on or make changes to this bug.