This topic reviews how to back up and redeploy cluster certificates using the ansible-playbook command. This method fixes common certificate errors. Possible use cases include:

  • The installer detected the wrong host names and the issue was identified too late.

  • The certificates are expired and you need to update them.

  • You have a new CA and would like to create certificates using it instead

Running the Certificate Redeploy Playbook

Running the certificate redeploy playbook will redeploy OpenShift Container Platform certificates that exist on systems (master, node, etcd):

$ ansible-playbook -i <inventory> playbooks/byo/openshift-cluster/redeploy-certificates.yml

This playbook must be run with an inventory that is representative of the cluster. The inventory must specify or override all host names and IP addresses set via openshift_hostname, openshift_public_hostname, openshift_ip, openshift_public_ip, openshift_master_cluster_hostname, or openshift_master_cluster_public_hostname such that they match the current cluster configuration.

By default, the redeploy playbook does not redeploy the OpenShift Container Platform CA. New certificates are created using the original OpenShift Container Platform CA.

To redeploy all certificates including the OpenShift Container Platform CA, specify openshift_certificates_redeploy_ca=true.

For example:

$ ansible-playbook -i <inventory> playbooks/byo/openshift-cluster/redeploy-certificates.yml \
--extra-vars "openshift_certificates_redeploy_ca=true"

This also adds a custom CA certificate:

# Configure custom ca certificate
# NOTE: CA certificate will not be replaced with existing clusters.
# This option may only be specified when creating a new cluster or
# when redeploying cluster certificates with the redeploy-certificates
# playbook.
#openshift_master_ca_certificate={'certfile': '/path/to/ca.crt', 'keyfile': '/path/to/ca.key'}

All pods using service accounts to communicate with the OpenShift Container Platform API must be redeployed when the OpenShift Container Platform CA is replaced so the certificate redeploy playbook will serially evacuate all nodes in the cluster when this variable is set.