[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: origin 1.2 bad certificate



more clues

etcd nodes have two ips, public an private

for some reason open shift is creating the certificates using de public ip instead of private

so connecting to etcd gives me and error saying certificate is generated to this IP and not to that IP

so it fails for that reason after re generating them

any clue ?

best regards



El 13 jun 2017, a las 13:53, Julio Saura <jsaura hiberus com> escribió:

more info

i managed to connect with curl to the etcd server and queried about controller keys

{"action":"get","node":{"key":"/openshift.io/leases/controllers","value":"master-lyy7bxfg","expiration":"2017-05-31T10:26:28.833756573Z","ttl":-1128220,"modifiedIndex":20547532,"createdIndex":18120566}


looks that what is expired is the key on the etcd BBDD..

how can i solve this?

best regards



El 13 jun 2017, a las 13:46, Julio Saura <jsaura hiberus com> escribió:

sorry about wget

connecting to etcd nodes using openssl and passing client certs looks good

openssl s_client -cert master.etcd-client.crt  -key master.etcd-client.key -connect etcd-node1:2379 -debug

connects without problem

but api service does not


Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613 15:25:04.997861    2391 leaderlease.go:69] unable to check lease openshift.io/leases/controllers: 501: All the given peers are not reachable (failed to propose on members [https://etcd-node02l:2379 https:/etcd-node01:2379] twice [last error: Put https://etcd-node02:2379/v2/keys/openshift.io/leases/controllers?prevExist=false: remote error: bad certificate


Julio Saura Alejandre
Responsable Servicios Gestionados
hiberus TRAVEL
Tel.: + 34 902 87 73 92 Ext. 659
Parque Empresarial PLAZA
Edificio EXPOINNOVACIÓN
C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza

Crecemos contigo

Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a su destinatario y pueden contener información privilegiada o confidencial. Si tú no eres el destinatario indicado, queda notificado de que la utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Por ello, se informa a quien lo reciba por error, que la información contenida en el mismo es reservada y su uso no autorizado está prohibido legalmente, por lo que en tal caso te rogamos que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar copias del mensaje o remitirlo o entregarlo a terceras personas y procedas a devolverlo a su emisor y/o destruirlo de inmediato.

El 13 jun 2017, a las 13:28, Julio Saura <jsaura hiberus com> escribió:

Hello

i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly they did expire

i followed the doc regarding this and after update my openshift-ansible i got the needed playbook

after running em i see etcd certs and ca are updated on my nodes, and dumping them with openssl looks good.

ansible-playbook -v -i /etc/ansible/hosts ./playbooks/byo/openshift-cluster/redeploy-certificates.yml

i see the ca and certs have been updates nicely on my etcd nodes, they do start but i still get bad certificate when api/master tries to connect to ectd

i did check connecting with wget for example but it says bad certificate

OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

any clue? my cluster is down right now :/

best regards





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]