Multiple old CA cert Files Observed on Host After Host CA Rotation

Problem

Multiple copies of old/expired certificates of the Platform9 Management Plane continue to exist in /etc/pf9/certs/ca directory even after CA rotation.
The same issue is faced for hostagent certificates as well that are present in the /etc/pf9/certs/hostagent/ directory.
The Bouncer container logs that it is no longer able to establish a connection to Keystone to validate the authentication token, example below:

2023/11/30 18:46:12 authn with credentials: obtain project token from credentials: send keystone request: Post http://localhost:8158/keystone/v3/auth/tokens?nocatalog: EOF

Environment

Platform9 Managed Kubernetes - v5.6.8 and Higher

Answer

Platform9 is aware of this issue and is currently being tracked internally with JIRA - PMK-6262.

Additional Information

Use the below command to check the certificate details along with expiry date to determine if the DU is serving expired certificate.

openssl s_client -connnect <DU-URL>:443 -servername "http.v2.<DU-URL>"

openssl s_client -connnect example.platform9.net:443 -servername "http.v2.example.platform9.net"

PreviousCertificate Generation Fails Since Host CA Validity Is Less Than The Amount Of TTL With Which Certif NextPods Deployed Using Multus Plugin Fail to Have Container Added to Network After Upgrading to Whereab

Last updated 4 months ago