Re: Cluster-Birthday: 1 year old, many certificates expiring - how to update?

2016-10-12 Thread Clayton Coleman 
>From a security perspective we recommend rotating frequently, but it's up
to your judgement.  If someone compromised your master cert you would want
to rotate it quickly, so just keep that in mind.

On Oct 12, 2016, at 8:37 AM, Mario Rosic  wrote:

Hello,

thank you, the playbook seems to work well.

However, I don't want to keep track of cert expiry dates and since those
certs are self-signed I'm going to modify the playbook to issue the certs
for 30 years (which should exceed the life of the cluster).

To me it seems like there is no reason whatsoever to replace those certs
every 2 years. Or am I missing something?

Regards
v


Am 2016-10-11 um 15:46 schrieb Pep Turro Mauri:



On 11 October 2016 at 11:40, v  wrote:

> Hello,
>
> our first cluster is nearly 1 year old


Happy birthday! :)


> and many certificates on the master are going to expire soon. Is there a
> guide on how to update them? What do we need to do to make sure our cluster
> doesn't just cease working on the 22nd of October?
>

There's an ansible playbook that should help here:
https://docs.openshift.org/latest/install_config/redeploying_certificates.html

pep


>
> Regards
> v
>
> $ openssl x509 -enddate -noout -in XYZ
>
> /etc/origin/master/admin.crt
> notAfter=Oct 22 07:03:34 2016 GMT
>
> /etc/origin/master/ca-bundle.crt
> notAfter=Oct 22 07:03:31 2016 GMT
>
> /etc/origin/master/ca.crt
> notAfter=Oct 22 07:03:31 2016 GMT
>
> /etc/origin/master/master.etcd-client.crt
> notAfter=Oct 22 07:03:33 2016 GMT
>
> /etc/origin/master/master.kubelet-client.crt
> notAfter=Oct 22 07:03:33 2016 GMT
>
> /etc/origin/master/openshift-master.crt
> notAfter=Oct 22 07:03:32 2016 GMT
>
> /etc/origin/master/openshift-registry.crt
> notAfter=Oct 22 07:03:35 2016 GMT
>
> /etc/origin/master/openshift-router.crt
> notAfter=Oct 22 07:03:35 2016 GMT
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>



___
users mailing 
listusers@lists.openshift.redhat.comhttp://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Cluster-Birthday: 1 year old, many certificates expiring - how to update?

2016-10-12 Thread Mario Rosic 

Hello,

thank you, the playbook seems to work well.

However, I don't want to keep track of cert expiry dates and since those certs 
are self-signed I'm going to modify the playbook to issue the certs for 30 
years (which should exceed the life of the cluster).

To me it seems like there is no reason whatsoever to replace those certs every 
2 years. Or am I missing something?

Regards
v


Am 2016-10-11 um 15:46 schrieb Pep Turro Mauri:



On 11 October 2016 at 11:40, v > wrote:

Hello,

our first cluster is nearly 1 year old 



Happy birthday! :)

and many certificates on the master are going to expire soon. Is there a 
guide on how to update them? What do we need to do to make sure our cluster 
doesn't just cease working on the 22nd of October?


There's an ansible playbook that should help here: 
https://docs.openshift.org/latest/install_config/redeploying_certificates.html

pep


Regards
v

$ openssl x509 -enddate -noout -in XYZ

/etc/origin/master/admin.crt
notAfter=Oct 22 07:03:34 2016 GMT

/etc/origin/master/ca-bundle.crt
notAfter=Oct 22 07:03:31 2016 GMT

/etc/origin/master/ca.crt
notAfter=Oct 22 07:03:31 2016 GMT

/etc/origin/master/master.etcd-client.crt
notAfter=Oct 22 07:03:33 2016 GMT

/etc/origin/master/master.kubelet-client.crt
notAfter=Oct 22 07:03:33 2016 GMT

/etc/origin/master/openshift-master.crt
notAfter=Oct 22 07:03:32 2016 GMT

/etc/origin/master/openshift-registry.crt
notAfter=Oct 22 07:03:35 2016 GMT

/etc/origin/master/openshift-router.crt
notAfter=Oct 22 07:03:35 2016 GMT

___
users mailing list
users@lists.openshift.redhat.com 
http://lists.openshift.redhat.com/openshiftmm/listinfo/users 





___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users