Issue replacing Master API certificates in OpenShift 4
Issue
-
API calls to OCP cluster fail, sometimes intermittently, with:
Error from server: Get "https://x.y.z.w:10250/containerLogs/openshift-kube-apiserver/kube-apiserver-ctl-2/kube-apiserver": x509: certificate signed by unknown authority
-
The
containerStatuses
field for failingkube-apiserver-ctl
pods show error that private key does not match with public key:I0422 21:06:51.680937 18 dynamic_serving_content.go:111] Loaded a new cert/key pair for "serving-cert::/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt::/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key" I0422 21:06:51.681239 18 dynamic_serving_content.go:111] Loaded a new cert/key pair for "sni-serving-cert::/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.crt::/etc/kubernetes/static-pod-certs/secrets/localhost-serving-cert-certkey/tls.key" I0422 21:06:51.681701 18 dynamic_serving_content.go:111] Loaded a new cert/key pair for "sni-serving-cert::/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt::/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key" I0422 21:06:51.682182 18 dynamic_serving_content.go:111] Loaded a new cert/key pair for "sni-serving-cert::/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.crt::/etc/kubernetes/static-pod-certs/secrets/external-loadbalancer-serving-certkey/tls.key" I0422 21:06:51.682641 18 dynamic_serving_content.go:111] Loaded a new cert/key pair for "sni-serving-cert::/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.crt::/etc/kubernetes/static-pod-certs/secrets/internal-loadbalancer-serving-certkey/tls.key" I0422 21:06:51.683152 18 dynamic_serving_content.go:111] Loaded a new cert/key pair for "sni-serving-cert::/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.crt::/etc/kubernetes/static-pod-resources/secrets/localhost-recovery-serving-certkey/tls.key" Error: failed to load SNI cert and key: tls: private key does not match public key
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4
- After replacing master api certificates or
localhost-recovery-serving-certkey
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.