Description of problem: The CA root certificate has validity longer than 2 years after tls rotation Version-Release number of selected component (if applicable): 4.6.0-0.nightly-2020-06-30-020342 How reproducible: Always Steps to Reproduce: 1.Add the following annotation to secret grpc-tls to trigger tls rotation monitoring.openshift.io/grpc-tls-forced-rotate 2.check validity of root cat.crt, it's longer than 2 years Validity Not Before: Jul 2 02:34:15 2020 GMT Not After : Jul 2 08:16:39 2022 GMT Actual results: Expected results: Additional info:
verified with payload 4.6.0-0.nightly-2020-07-25-091217 execute the following command and get validity openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text Validity Not Before: Jul 26 23:29:29 2020 GMT Not After : Jul 26 23:29:30 2022 GMT add annotations to secret grpc-tls to enable tls rotation annotations: monitoring.openshift.io/grpc-tls-forced-rotate: "true" execute the following command and get validity openssl crl2pkcs7 -nocrl -certfile <(oc -n openshift-monitoring get secret grpc-tls -o jsonpath='{.data.ca\.crt}' | base64 -d) | openssl pkcs7 -print_certs -noout -text Validity Not Before: Jul 27 08:40:59 2020 GMT Not After : Jul 27 08:41:00 2022 GMT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196