After upgrading cluster to OpenShift 4.3.5, service-ca certificates not trusted because of invalid service CA being created

Solution Verified - Updated -

Issue

  • On a cluster that is upgraded to 4.3, automated service CA rotation is enabled, but do not ensure unique CA serial numbers , this can lead to a failure in all workloads that use non-golang SSL network clients, which use service-ca to communicate with platform or between each-other
  • After upgrading cluster, using curl to check https endpoints, it reports error You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Environment

  • Red Hat OpenShift Container Platform (OCP) 4.3.5

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content