Fatal编程技术网
  • openssl/
  • Openssl 无法在openshift 3.11中重新部署到期后的证书

Openssl 无法在openshift 3.11中重新部署到期后的证书

openssl openshift

Openssl 无法在openshift 3.11中重新部署到期后的证书,openssl,openshift,openshift-origin,openshift-3,okd,Openssl,Openshift,Openshift Origin,Openshift 3,Okd,我使用以下方式部署了openshift(okd)3.11: 我希望生成一个证书过期的场景,并测试如何更新证书 因此,我在清单中将以下变量设置为1天(以便证书很快过期): 正如预期的那样,1天后,oc命令不工作,主api、主etcd POD命令处于退出状态。 现在我想续订所有证书,因此我运行了重新部署证书播放,参考 但此ansible播放因错误而中止: . . . . TASK [Wait for master to restart] *******************************

我使用以下方式部署了openshift(okd)3.11: 我希望生成一个证书过期的场景,并测试如何更新证书

因此,我在清单中将以下变量设置为1天(以便证书很快过期):

正如预期的那样,1天后,oc命令不工作,主api、主etcd POD命令处于退出状态。 现在我想续订所有证书,因此我运行了重新部署证书播放,参考

但此ansible播放因错误而中止:

.
.
.
.
TASK [Wait for master to restart] **********************************************************************************************************
skipping: [master.167.254.204.228.nip.io]

TASK [Wait for master API to come back online] *********************************************************************************************
skipping: [master.167.254.204.228.nip.io]

TASK [openshift_control_plane : restart master] ********************************************************************************************
changed: [master.167.254.204.228.nip.io] => (item=api)
changed: [master.167.254.204.228.nip.io] => (item=controllers)

RUNNING HANDLER [openshift_control_plane : verify API server] ******************************************************************************
FAILED - RETRYING: verify API server (120 retries left).
FAILED - RETRYING: verify API server (119 retries left).
.
.
.
FAILED - RETRYING: verify API server (2 retries left).
FAILED - RETRYING: verify API server (1 retries left).
fatal: [master.167.254.204.228.nip.io]: FAILED! => {
    "attempts": 120,
    "changed": false,
    "cmd": [
        "curl",
        "--silent",
        "--tlsv1.2",
        "--max-time",
        "2",
        "--cacert",
        "/etc/origin/master/ca-bundle.crt",
        "https://master.167.254.204.228.nip.io:8443/healthz/ready"
    ],
    "delta": "0:00:00.012426",
    "end": "2020-11-29 22:56:24.445762",
    "rc": 7,
    "start": "2020-11-29 22:56:24.433336"
}

MSG:

non-zero return code


RUNNING HANDLER [openshift_control_plane : verify Local API server] ************************************************************************
请让我知道,如果我错过了什么,而重新部署证书或任何其他方式,我们可以续订这些证书

更新 我还使用-e openshift_redeploy_openshift_ca=true尝试了redeploy-openshift-ca.yml剧本:

ansible-playbook -i openshift-ansible/playbooks/inventory.ini openshift-ansible/playbooks/openshift-master/redeploy-openshift-ca.yml -e openshift_redeploy_openshift_ca=true
但是这个重头戏在前面等待主api运行的任务中也失败了

主api docker日志显示:

.
.
I1202 18:02:55.930375       1 plugins.go:84] Registered admission plugin "SecurityContextDeny"
I1202 18:02:55.930387       1 plugins.go:84] Registered admission plugin "ServiceAccount"
I1202 18:02:55.930396       1 plugins.go:84] Registered admission plugin "DefaultStorageClass"
I1202 18:02:55.930408       1 plugins.go:84] Registered admission plugin "PersistentVolumeClaimResize"
I1202 18:02:55.930418       1 plugins.go:84] Registered admission plugin "StorageObjectInUseProtection"
F1202 18:03:25.933354       1 start_api.go:68] dial tcp 167.254.204.228:2379: connect: connection refused


2020-12-02 18:05:14.459240 I | embed: ready to serve client requests
2020-12-02 18:05:14.459730 I | embed: serving client requests on 167.254.204.228:2379
WARNING: 2020/12/02 18:05:14 Failed to dial 167.254.204.228:2379: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate"; please retry.
etcd docker日志显示:

.
.
I1202 18:02:55.930375       1 plugins.go:84] Registered admission plugin "SecurityContextDeny"
I1202 18:02:55.930387       1 plugins.go:84] Registered admission plugin "ServiceAccount"
I1202 18:02:55.930396       1 plugins.go:84] Registered admission plugin "DefaultStorageClass"
I1202 18:02:55.930408       1 plugins.go:84] Registered admission plugin "PersistentVolumeClaimResize"
I1202 18:02:55.930418       1 plugins.go:84] Registered admission plugin "StorageObjectInUseProtection"
F1202 18:03:25.933354       1 start_api.go:68] dial tcp 167.254.204.228:2379: connect: connection refused


2020-12-02 18:05:14.459240 I | embed: ready to serve client requests
2020-12-02 18:05:14.459730 I | embed: serving client requests on 167.254.204.228:2379
WARNING: 2020/12/02 18:05:14 Failed to dial 167.254.204.228:2379: connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate"; please retry.
我认为对于第一个输出,问题是您的CA也已过期,因此重新部署所有证书不会解决问题。在第二个输出中,您没有执行相同的剧本。使用
-e openshift\u redeploy\u openshift\u ca=true执行
redeploy certificates.yml
playbook时会有什么结果?我已经按照您的建议尝试过了,但结果是一样的,它在同一点失败,也就是说,当主api无法启动时,它会被中止