How to renew the root certificate for ISTIO/Red Hat Service Mesh in OpenShift version 3.11?
Issue
- The upgrade playbook is failing due to the certificate of namespace
istio-system
is expired.
TASK [Upgrade all storage] *******************************************************************************************************************************************************************
FAILED - RETRYING: Upgrade all storage (6 retries left).
FAILED - RETRYING: Upgrade all storage (5 retries left).
FAILED - RETRYING: Upgrade all storage (4 retries left).
FAILED - RETRYING: Upgrade all storage (3 retries left).
FAILED - RETRYING: Upgrade all storage (2 retries left).
FAILED - RETRYING: Upgrade all storage (1 retries left).
fatal: [dca-hd-osm-01.int.dca.ca.gov]: FAILED! => {"attempts": 6, "changed": true, "cmd": ["oc", "adm", "--config=/etc/origin/master/admin.kubeconfig", "migrate", "storage", "--include=*"], "delta": "0:01:20.489761", "end": "2020-08-10 16:12:26.252423", "failed_when_result": true, "msg": "non-zero return code", "rc": 1, "start": "2020-08-10 16:11:05.762662", "stderr": "", "stderr_lines": [], "stdout": "E0810 16:11:07.811775 error: -n istio-system attributemanifests/istioproxy: Internal error occurred: failed calling admission webhook \"mixer.validation.istio.io\": Post https://istio-galley.istio-system.svc:443/admitmixer?timeout=30s: x509: certificate has expired or is not yet valid\nE0810 16:11:07.817714 error: -n istio-system attributemanifests/kubernetes: Internal error occurred: failed calling admission webhook \"mixer.validation.istio.io\": Post https://istio-galley.istio-system.svc:443/admitmixer?timeout=30s: x509: certificate has expired or is not yet valid
- How to regenerate the root certificate of ISTIO in OCP 3.11?
Environment
- Red Hat OpenShift Service Mesh
- Red Hat Openshift Container Platform (OCP)
- 3.11
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.