Bug 1853250 - The CA root certificate has validity longer than 2 years after tls rotation
Summary: The CA root certificate has validity longer than 2 years after tls rotation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.0
Assignee: Sergiusz Urbaniak
QA Contact: hongyan li
URL:
Whiteboard:
Depends On:
Blocks: 1853253
TreeView+ depends on / blocked
 
Reported: 2020-07-02 09:09 UTC by hongyan li
Modified: 2020-10-27 16:12 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1853253 (view as bug list)
Environment:
Last Closed: 2020-10-27 16:11:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 866 0 None closed Bug 1853250: pkg/manifests: update notBefore on cert renewal 2020-08-03 01:43:40 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:12:07 UTC

Description hongyan li 2020-07-02 09:09:38 UTC
Description of problem:
The CA root certificate has validity longer than 2 years after tls rotation


Version-Release number of selected component (if applicable):
 4.6.0-0.nightly-2020-06-30-020342

How reproducible:
Always

Steps to Reproduce:
1.Add the following annotation to secret grpc-tls to trigger tls rotation
 monitoring.openshift.io/grpc-tls-forced-rotate
2.check validity of root cat.crt, it's longer than 2 years
          Validity
           Not Before: Jul 2 02:34:15 2020 GMT
            Not After : Jul 2 08:16:39 2022 GMT

Actual results:


Expected results:


Additional info:

Comment 4 hongyan li 2020-07-27 08:45:44 UTC
verified with payload 4.6.0-0.nightly-2020-07-25-091217

execute the following command and get validity 
openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text

        Validity
            Not Before: Jul 26 23:29:29 2020 GMT
            Not After : Jul 26 23:29:30 2022 GMT


add annotations to secret grpc-tls to enable tls rotation
annotations:
     monitoring.openshift.io/grpc-tls-forced-rotate: "true"

execute the following command and get validity 
openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text

        Validity
            Not Before: Jul 27 08:40:59 2020 GMT
            Not After : Jul 27 08:41:00 2022 GMT

Comment 6 errata-xmlrpc 2020-10-27 16:11:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.