+++ This bug was initially created as a clone of Bug #1814390 +++

Automated service ca rotation was initially released without a guarantee of a unique ca serial number due to the library code used to generate CAs using a fixed value. The lack of a unique serial number resulted in a broken chain of trust for non-golang clients such as curl [1].

If a cluster has been upgraded to a release supporting automated CA rotation but without the fix to ensure unique CA serials, the resulting CA configuration will break non-golang clients (e.g. curl) due to the chain of trust containing more than one certificate for the same issuer and serial. Fixing this CA configuration automatically will not be possible due to the requirement to restart affected services, so manual cert rotation [1] is likely the best option.

1: https://bugzilla.redhat.com/show_bug.cgi?id=1810036

--- Additional comment from Maru Newby on 2020-03-17 14:42:11 EDT ---

Corrected, manual cert rotation link: https://docs.openshift.com/container-platform/4.3/authentication/certificates/service-serving-certificate.html#manually-rotate-service-ca_service-serving-certificate