Hey Julio, Setting openshift_ip as a host level variable within inventory will override the IP that is selected by default for etcd hosts (IP of the default route). playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml can be used to replace the etcd certificates with the overridden IP value.
For example, set openshift_ip for each etcd host within inventory: [etcd] host1.example.com openshift_ip=192.168.122.43 host2.example.com openshift_ip=192.168.122.44 host3.example.com openshift_ip=192.168.122.45 On Tue, Jun 13, 2017 at 9:19 AM, Julio Saura <jsa...@hiberus.com> wrote: > more clues > > etcd nodes have two ips, public an private > > for some reason open shift is creating the certificates using de public ip > instead of private > > so connecting to etcd gives me and error saying certificate is generated > to this IP and not to that IP > > so it fails for that reason after re generating them > > any clue ? > > best regards > > > > El 13 jun 2017, a las 13:53, Julio Saura <jsa...@hiberus.com> escribió: > > more info > > i managed to connect with curl to the etcd server and queried about > controller keys > > {"action":"get","node":{"key":"/openshift.io/leases/controllers > ","value":"master-lyy7bxfg","expiration":"*2017-05-31T10:26:28.833756573Z* > ","ttl":-1128220,"modifiedIndex":20547532,"createdIndex":18120566} > > > looks that what is expired is the key on the etcd BBDD.. > > how can i solve this? > > best regards > > > > El 13 jun 2017, a las 13:46, Julio Saura <jsa...@hiberus.com> escribió: > > sorry about wget > > connecting to etcd nodes using openssl and passing client certs looks good > > openssl s_client -cert master.etcd-client.crt -key master.etcd-client.key > -connect etcd-node1:2379 -debug > > connects without problem > > but api service does not > > > Jun 13 15:25:04 openshift-master01 origin-master-controllers: E0613 > 15:25:04.997861 2391 leaderlease.go:69] unable to check lease > openshift.io/leases/controllers: 501: All the given peers are not > reachable (failed to propose on members [https://etcd-node02l:2379 > https:/etcd-node01:2379] twice [last error: Put > https://etcd-node02:2379/v2/keys/openshift.io/leases/ > controllers?prevExist=false: remote error: bad certificate > > > *Julio Saura Alejandre* > *Responsable Servicios Gestionados* > *hiberus* TRAVEL > Tel.: + 34 902 87 73 92 Ext. 659 <+34%20902%2087%2073%2092> > Parque Empresarial PLAZA > Edificio EXPOINNOVACIÓN > C/. Bari 25 Duplicado, Escalera 1, Planta 2ª. 50197 Zaragoza > www.hiberus.com > > Crecemos contigo > Este mensaje se envía desde la plataforma de correo de Hiberus Este > mensaje y los documentos que, en su caso, lleve anexos, se dirigen > exclusivamente a su destinatario y pueden contener información privilegiada > o confidencial. Si tú no eres el destinatario indicado, queda notificado de > que la utilización, divulgación y/o copia sin autorización está prohibida > en virtud de la legislación vigente. Por ello, se informa a quien lo reciba > por error, que la información contenida en el mismo es reservada y su uso > no autorizado está prohibido legalmente, por lo que en tal caso te rogamos > que nos lo comuniques vía e-mail o teléfono, te abstengas de realizar > copias del mensaje o remitirlo o entregarlo a terceras personas y procedas > a devolverlo a su emisor y/o destruirlo de inmediato. > > El 13 jun 2017, a las 13:28, Julio Saura <jsa...@hiberus.com> escribió: > > Hello > > i have a problem in a 1.2.0 cluster with etcd ca and certificates, mainly > they did expire > > i followed the doc regarding this and after update my openshift-ansible i > got the needed playbook > > after running em i see etcd certs and ca are updated on my nodes, and > dumping them with openssl looks good. > > ansible-playbook -v -i /etc/ansible/hosts ./playbooks/byo/openshift- > cluster/redeploy-certificates.yml > > i see the ca and certs have been updates nicely on my etcd nodes, they do > start but i still get bad certificate when api/master tries to connect to > ectd > > i did check connecting with wget for example but it says bad certificate > > OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate > > any clue? my cluster is down right now :/ > > best regards > > > > > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users