Hey Julio,
Setting openshift_ip as a host level variable within inventory will
override the IP that is selected by default for etcd hosts (IP of the
default route).
playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml can be used
to replace the etcd certificates with the overridden IP value.
For example, set openshift_ip for each etcd host within inventory:
[etcd]
host1.example.com openshift_ip=192.168.122.43
host2.example.com openshift_ip=192.168.122.44
host3.example.com openshift_ip=192.168.122.45
On Tue, Jun 13, 2017 at 9:19 AM, Julio Saura <jsa...@hiberus.com> wrote:
> more clues
>
> etcd nodes have two ips, public an private
>
> for some reason open shift is creating the certificates using de public ip
> instead of private
>
> so connecting to etcd gives me and error saying certificate is generated
> to this IP and not to that IP
>
> so it fails for that reason after re generating them
>
> any clue ?
>
> best regards
>
>
>
> El 13 jun 2017, a las 13:53, Julio Saura <jsa...@hiberus.com> escribió:
>
> more info
>
> i managed to connect with curl to the etcd server and queried about
> controller keys
>
> {"action":"get","node":{"key":"/openshift.io/leases/controllers
> ","value":"master-lyy7bxfg","expiration":"*2017-05-31T10:26:28.833756573Z*
> ","ttl":-1128220,"modifiedIndex":20547532,"createdIndex":18120566}
>
>
> looks that what is expired is the key on the etcd BBDD..
>
> how can i solve this?
>
> best regards
>
>
>
> El 13 jun 2017, a las 13:46, Julio Saura <jsa...@hiberus.com> escribió:
>
> sorry about wget
>
> connecting to etcd nodes using openssl and passing client certs looks good
>
> openssl s_client -cert master.etcd-client.crt -key master.etcd-client.key
> -connect etcd-node1:2379 -debug
>
> connects without problem
>
> but api service does not
>
>
> Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613
> 15:25:04.997861 2391 leaderlease.go:69] unable to check lease
> openshift.io/leases/controllers: 501: All the given peers are not
> reachable (failed to propose on members [https://etcd-node02l:2379
> https:/etcd-node01:2379] twice [last error: Put
> https://etcd-node02:2379/v2/keys/openshift.io/leases/
> controllers?prevExist=false: remote error: bad certificate
>
>
> *Julio Saura Alejandre*
> *Responsable Servicios Gestionados*
> *hiberus* TRAVEL
> Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092>
> Parque Empresarial PLAZA
> Edificio EXPOINNOVACIÓN
> C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza
> www.hiberus.com
>
> Crecemos contigo
> Este mensaje se envía desde la plataforma de correo de Hiberus Este
> mensaje y los documentos que, en su caso, lleve anexos, se dirigen
> exclusivamente a su destinatario y pueden contener información privilegiada
> o confidencial. Si tú no eres el destinatario indicado, queda notificado de
> que la utilización, divulgación y/o copia sin autorización está prohibida
> en virtud de la legislación vigente. Por ello, se informa a quien lo reciba
> por error, que la información contenida en el mismo es reservada y su uso
> no autorizado está prohibido legalmente, por lo que en tal caso te rogamos
> que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar
> copias del mensaje o remitirlo o entregarlo a terceras personas y procedas
> a devolverlo a su emisor y/o destruirlo de inmediato.
>
> El 13 jun 2017, a las 13:28, Julio Saura <jsa...@hiberus.com> escribió:
>
> Hello
>
> i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly
> they did expire
>
> i followed the doc regarding this and after update my openshift-ansible i
> got the needed playbook
>
> after running em i see etcd certs and ca are updated on my nodes, and
> dumping them with openssl looks good.
>
> ansible-playbook -v -i /etc/ansible/hosts ./playbooks/byo/openshift-
> cluster/redeploy-certificates.yml
>
> i see the ca and certs have been updates nicely on my etcd nodes, they do
> start but i still get bad certificate when api/master tries to connect to
> ectd
>
> i did check connecting with wget for example but it says bad certificate
>
> OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate
>
> any clue? my cluster is down right now :/
>
> best regards
>
>
>
>
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
