After upgrading cluster to OpenShift 4.3.5, service-ca certificates not trusted because of invalid service CA being created
Issue
- On a cluster that is upgraded to 4.3, automated service CA rotation is enabled, but do not ensure unique CA serial numbers , this can lead to a failure in all workloads that use non-golang SSL network clients, which use service-ca to communicate with platform or between each-other
- After upgrading cluster, using
curl
to check https endpoints, it reports error You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Environment
- Red Hat OpenShift Container Platform (OCP) 4.3.5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.