>From a security perspective we recommend rotating frequently, but it's up
to your judgement.  If someone compromised your master cert you would want
to rotate it quickly, so just keep that in mind.

On Oct 12, 2016, at 8:37 AM, Mario Rosic <m...@rosicmario.eu> wrote:

Hello,

thank you, the playbook seems to work well.

However, I don't want to keep track of cert expiry dates and since those
certs are self-signed I'm going to modify the playbook to issue the certs
for 30 years (which should exceed the life of the cluster).

To me it seems like there is no reason whatsoever to replace those certs
every 2 years. Or am I missing something?

Regards
v


Am 2016-10-11 um 15:46 schrieb Pep Turro Mauri:



On 11 October 2016 at 11:40, v <vekt...@gmx.net> wrote:

> Hello,
>
> our first cluster is nearly 1 year old


Happy birthday! :)


> and many certificates on the master are going to expire soon. Is there a
> guide on how to update them? What do we need to do to make sure our cluster
> doesn't just cease working on the 22nd of October?
>

There's an ansible playbook that should help here:
https://docs.openshift.org/latest/install_config/redeploying_certificates.html

pep


>
> Regards
> v
>
> $ openssl x509 -enddate -noout -in XYZ
>
> /etc/origin/master/admin.crt
> notAfter=Oct 22 07:03:34 2016 GMT
>
> /etc/origin/master/ca-bundle.crt
> notAfter=Oct 22 07:03:31 2016 GMT
>
> /etc/origin/master/ca.crt
> notAfter=Oct 22 07:03:31 2016 GMT
>
> /etc/origin/master/master.etcd-client.crt
> notAfter=Oct 22 07:03:33 2016 GMT
>
> /etc/origin/master/master.kubelet-client.crt
> notAfter=Oct 22 07:03:33 2016 GMT
>
> /etc/origin/master/openshift-master.crt
> notAfter=Oct 22 07:03:32 2016 GMT
>
> /etc/origin/master/openshift-registry.crt
> notAfter=Oct 22 07:03:35 2016 GMT
>
> /etc/origin/master/openshift-router.crt
> notAfter=Oct 22 07:03:35 2016 GMT
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>



_______________________________________________
users mailing 
listusers@lists.openshift.redhat.comhttp://lists.openshift.redhat.com/openshiftmm/listinfo/users


_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to