Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1815604

Summary: Clusters upgraded to 4.2.22 may require manual service CA rotation
Product: OpenShift Container Platform Reporter: Maru Newby <mnewby>
Component: service-caAssignee: Maru Newby <mnewby>
Status: CLOSED WONTFIX QA Contact: Wei Sun <wsun>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2.zCC: aos-bugs, dmoessne, mfojtik, nagrawal, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1814390 Environment:
Last Closed: 2020-03-24 00:41:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Maru Newby 2020-03-20 17:10:06 UTC 
+++ This bug was initially created as a clone of Bug #1814390 +++

tl;dr This BZ is intended to communicate how to resolve service CA TLS issues exhibited on a 4.2.22 cluster. No automated fix is possible. Manual service CA rotation [1] will resolve the problem. 

---------

Automated service ca rotation was released in 4.2.22 without a guarantee of a unique ca serial number due to the library code used to generate CAs using a fixed value. The lack of a unique serial number resulted in a broken chain of trust for non-golang clients such as curl [2].

If a cluster has been upgraded 4.2.22, the resulting CA configuration will break non-golang clients (e.g. curl) due to the chain of trust containing more than one certificate for the same issuer and serial. Fixing this CA configuration automatically will not be possible due to the requirement to restart affected services, so manual cert rotation [1] is the suggested fix.

1: https://docs.openshift.com/container-platform/4.3/authentication/certificates/service-serving-certificate.html#manually-rotate-service-ca_service-serving-certificate
2: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
Comment 1 Maru Newby 2020-03-24 00:41:08 UTC 
Closing since the issue is not actionable.