How To
Summary
If you shut down your CP4S cluster gracefully, for example over the holiday season, the node certificates might expire. After the holidays, you restart the cluster but you cannot log in and get a warning about an expired certificate.
Related documentation: https://www.ibm.com/support/pages/node/6853549
Objective
-
Log in to one of the control nodes with ssh
-
Renew the certificates
-
Wait for the cluster to become ready
Environment
Red Hat OpenShift 4
Cloud Pak for Security 1.10
Steps
Log in to one of the control nodes with ssh
$ ssh core@[node_name]
[core@node_name ~]$ sudo -i
[root@node_name ~]#
Log in to the cluster
export KUBECONFIG=/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig
Approve pending certificate requests
oc get csr -o name | xargs oc adm certificate approve
You might have to repeat this command until there are no more pending certificate requests.
Check the cluster operator status regularly until all operators are available
oc get co
Then, you can close the ssh session and login to your Red Hat OpenShift cluster
Additional Information
Useful links related to expired certificates on the control planes
https://access.redhat.com/solutions/5953441
https://access.redhat.com/solutions/4845381
https://access.redhat.com/solutions/6066701
https://access.redhat.com/solutions/5953441
https://access.redhat.com/solutions/4845381
https://access.redhat.com/solutions/6066701
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m3p000000PCQXAA4","label":"OpenShift-\u003EAuthentication"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.10.0"}]
Was this topic helpful?
Document Information
Modified date:
06 July 2023
UID
ibm17010005