more clues
etcd nodes have two ips, public an private
for some reason open shift is creating the certificates using de public ip
instead of private
so connecting to etcd gives me and error saying certificate is generated to
this IP and not to that IP
so it fails for that reason after re generating them
any clue ?
best regards
> El 13 jun 2017, a las 13:53, Julio Saura <jsa...@hiberus.com> escribió:
>
> more info
>
> i managed to connect with curl to the etcd server and queried about
> controller keys
>
> {"action":"get","node":{"key":"/openshift.io/leases/controllers
> <http://openshift.io/leases/controllers>","value":"master-lyy7bxfg","expiration":"2017-05-31T10:26:28.833756573Z","ttl":-1128220,"modifiedIndex":20547532,"createdIndex":18120566}
>
>
> looks that what is expired is the key on the etcd BBDD..
>
> how can i solve this?
>
> best regards
>
>
>
>> El 13 jun 2017, a las 13:46, Julio Saura <jsa...@hiberus.com
>> <mailto:jsa...@hiberus.com>> escribió:
>>
>> sorry about wget
>>
>> connecting to etcd nodes using openssl and passing client certs looks good
>>
>> openssl s_client -cert master.etcd-client.crt -key master.etcd-client.key
>> -connect etcd-node1:2379 -debug
>>
>> connects without problem
>>
>> but api service does not
>>
>>
>> Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613
>> 15:25:04.997861 2391 leaderlease.go:69] unable to check lease
>> openshift.io/leases/controllers: <http://openshift.io/leases/controllers:>
>> 501: All the given peers are not reachable (failed to propose on members
>> [https://etcd-node02l:2379 https:/etcd-node01:2379
>> <https://etcd-node02l:2379 https:/etcd-node01:2379>] twice [last error: Put
>> https://etcd-node02:2379/v2/keys/openshift.io/leases/controllers?prevExist=false:
>>
>> <https://etcd-node02:2379/v2/keys/openshift.io/leases/controllers?prevExist=false:>
>> remote error: bad certificate
>>
>>
>> Julio Saura Alejandre
>> Responsable Servicios Gestionados
>> hiberus TRAVEL
>> Tel.: + 34 902 87 73 92 Ext. 659
>> Parque Empresarial PLAZA
>> Edificio EXPOINNOVACIÓN
>> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
>> www.hiberus.com <http://www.hiberus.com/>
>> Crecemos contigo
>>
>> Este mensaje se envía desde la plataforma de correo de Hiberus Este mensaje
>> y los documentos que, en su caso, lleve anexos, se dirigen exclusivamente a
>> su destinatario y pueden contener información privilegiada o confidencial.
>> Si tú no eres el destinatario indicado, queda notificado de que la
>> utilización, divulgación y/o copia sin autorización está prohibida en virtud
>> de la legislación vigente. Por ello, se informa a quien lo reciba por error,
>> que la información contenida en el mismo es reservada y su uso no autorizado
>> está prohibido legalmente, por lo que en tal caso te rogamos que nos lo
>> comuniques vía e-mail o teléfono, te abstengas de realizar copias del
>> mensaje o remitirlo o entregarlo a terceras personas y procedas a devolverlo
>> a su emisor y/o destruirlo de inmediato.
>>
>>> El 13 jun 2017, a las 13:28, Julio Saura <jsa...@hiberus.com
>>> <mailto:jsa...@hiberus.com>> escribió:
>>>
>>> Hello
>>>
>>> i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly
>>> they did expire
>>>
>>> i followed the doc regarding this and after update my openshift-ansible i
>>> got the needed playbook
>>>
>>> after running em i see etcd certs and ca are updated on my nodes, and
>>> dumping them with openssl looks good.
>>>
>>> ansible-playbook -v -i /etc/ansible/hosts
>>> ./playbooks/byo/openshift-cluster/redeploy-certificates.yml
>>>
>>> i see the ca and certs have been updates nicely on my etcd nodes, they do
>>> start but i still get bad certificate when api/master tries to connect to
>>> ectd
>>>
>>> i did check connecting with wget for example but it says bad certificate
>>>
>>> OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>>> certificate
>>>
>>> any clue? my cluster is down right now :/
>>>
>>> best regards
>>>
>>
>
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
