After upgrading cluster to OpenShift 4.3.5, service-ca certificates not trusted because of invalid service CA being created

Solution Verified - Updated -

Issue

  • On a cluster that is upgraded to 4.3, automated service CA rotation is enabled, but do not ensure unique CA serial numbers , this can lead to a failure in all workloads that use non-golang SSL network clients, which use service-ca to communicate with platform or between each-other
  • After upgrading cluster, using curl to check https endpoints, it reports error You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.

Environment

  • Red Hat OpenShift Container Platform (OCP) 4.3.5

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In