[
https://issues.apache.org/jira/browse/HDDS-9507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17783971#comment-17783971
]
Sammi Chen commented on HDDS-9507:
----------------------------------
[~pratyush.bhatt] , It's currently an expected behavior. If the root CA server
is there, then new SCM's certificate will be signed by root certificate.
> [MasterNode decommissioning] Recommissioned SCM certs still signed by RootCA
> ----------------------------------------------------------------------------
>
> Key: HDDS-9507
> URL: https://issues.apache.org/jira/browse/HDDS-9507
> Project: Apache Ozone
> Issue Type: Bug
> Components: SCM
> Reporter: Pratyush Bhatt
> Assignee: Nandakumar
> Priority: Major
>
> *Scenario:*
> Decommission a SCM node, and certs are tuned to be rotated after the new SCM
> recommission is done.
> *Steps:*
> 1. Cert rotation interval set as 30 minutes.
> 2. Decommission a SCM Node (ozn-decom56-5.ozn-decom56.xyz)
> 3. Recommission a new SCM Node. (ozn-decom56-4.ozn-decom56.xyz)
> 4. Cert rotation interval hits now.
> _Configs used:_
> {code:java}
> "hdds.x509.default.duration": "PT1H",
> "hdds.x509.renew.grace.duration": "PT30M",
> "hdds.x509.ca.rotation.check.interval": "PT10M",
> "ozone.manager.delegation.token.renew-interval": "10m",
> "hdds.block.token.expiry.time": "10m",
> "ozone.manager.delegation.token.max-lifetime": "30m"{code}
> *Observed behavior:*
> These are certs info for the SCMs and rootCA now:
> {code:java}
> SerialNumber Valid From Expiry
> Subject
> Issuer
> 1 Thu Oct 19 11:33:32 UTC 2023 Sun Nov 26 11:33:32 UTC 2028
>
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
>
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
> 138022366133952767 Thu Oct 19 11:33:32 UTC 2023 Sun Nov 26 11:33:32 UTC
> 2028
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
>
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
>
> 138022392400080904 Thu Oct 19 11:33:58 UTC 2023 Sun Nov 26 11:33:58 UTC
> 2028
> [email protected],OU=c1bec48f-4c89-4edf-92a9-b63e842a1ceb,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
>
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
> 138022394309457306 Thu Oct 19 11:34:00 UTC 2023 Sun Nov 26 11:34:00 UTC
> 2028
> [email protected],OU=da59dc71-12d2-4a77-a0bd-213491613bc2,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
>
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
> 138022935946339912 Thu Oct 19 11:43:02 UTC 2023 Sun Nov 26 11:43:02 UTC
> 2028
> [email protected],OU=8c24b790-06a8-4670-97a8-94656d9a13c9,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00
>
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00{code}
> _ozn-decom56-4.ozn-decom56.xyz_ was newly decommissioned and got its cert at
> Thu Oct 19 11:43:02 UTC 2023.
> In the issuer section, can still see that its signed by scm-1, whereas it
> should have been issued by scm-sub.
> {noformat}
> [email protected],OU=7206ffd5-b4ac-4601-856c-331f97a19c05,O=CID-05b2fa6e-fab7-4a18-855c-8ac4aed53d00{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
