-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.18.z
-
None
-
None
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Ingress certificate expired under the default of 2-years
Version-Release number of selected component (if applicable):
4.18.17
How reproducible:
Unsure
Steps to Reproduce:
Customer installed OpenShift originally with 4.13.13 and has upgraded to 4.18.17 Cluster Version: 4.18.17 Desired Version: 4.18.17 Channel: stable-4.18 Previous Version(s): 4.18.10, 4.17.26, 4.16.34, 4.15.44, 4.14.34, 4.14.32, 4.14.14, 4.13.27, 4.13.26, 4.13.24, 4.13.19, 4.13.15, 4.13.13(unverified)
Actual results:
Ingress cert for their *.apps address expired at least a year before the expiry date on other certs such as the service-ca
Expected results:
Ingress cert should expire around the time of the service-ca
Additional info:
Customer's ingress cert expired and had to be renewed, when checking against the internal router cert, it should be expiring around this date instead
$ omc get secret router-certs-default -o yaml -n openshift-ingress | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates -issuer -subject
notBefore=Oct 3 13:01:42 2025 GMT
notAfter=Oct 3 13:01:43 2027 GMT
issuer=CN=ingress-operator@1759496369
subject=CN=*.<FQDN>
$ omc get secret router-metrics-certs-default -o yaml -n openshift-ingress | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates -issuer -subject
notBefore=Nov 1 19:21:54 2024 GMT
notAfter=Nov 1 19:21:55 2026 GMT
issuer=CN=openshift-service-serving-signer@1696360882
subject=CN=router-internal-default.openshift-ingress.svc
