Things to be followed during the renewal process of Openshift SSL Certificate.

By | May 12, 2020

This Articles mainly applies for the OpenShift v3.6 Cluster. This Article is all about the prerequisite preperation which need to be done before running the SSL Renewal Plabook (redeploy-certificates.yaml).

While redeploying the SSL Certificate on OCP Cluster, the playbook might fails because fo some Issue. Consider checking the below points before redeploying the SSL Certificates using the playboook.

  • Initiated the server backup , Take AMI if Cluster is on AWS or Snapshot if Cluster running on vmware.
  • Make a note of Private IP of all nodes in the cluster (Useful for recovering with same IP to get same cluster state if anything goes wrong with the cluster)
  • Verify the RedHat subscription – Check all nodes are subscribed to RedHat
  • verifiy the repositories (# yum repolist) , check if all repo’s are fetched properly
  • checked that there is no attributes defined on /etc/resolv.conf (lsattr /etc/resolv.conf)
  • Put the newly generated certificate in the location (web/apps certs)
  • Updated the OSEv3 Config file with certificate path (If required)
  • Take origin folder and etcd backup.
  • Check and verify that there is no entry inside new_node in inventory file.

ERROR‘ansible.parsing.yaml.objects.AnsibleUnicode object’ has no attribute ‘certfile’

TASK [assert] **************************************************************************************************************************

ok: [] => {
“changed”: false


All assertions passed

TASK [Read router certificate and key] *************************************************************************************************
fatal: []: FAILED! => {}


‘ansible.parsing.yaml.objects.AnsibleUnicode object’ has no attribute ‘certfile’

This issue happens because of the unsupported format in your Configuration file (OSEv3) for master and infra section.

Change From

# infra
 openshift_hosted_router_certificate: >
     'certfile': '/home/openshift/Deployment/ssl-cert/wildcard/apps_domain.crt',
     'keyfile': '/home/openshift/Deployment/ssl-cert/wildcard/apps_domain.key',
     'cafile': '/home/openshift/Deployment/ssl-cert/DemoDevOpsrootCA.crt'

Change To

# infra
   certfile: '/home/openshift/Deployment/ssl-cert/wildcard/apps_domain.crt'
   keyfile: '/home/openshift/Deployment/ssl-cert/wildcard/apps_domain.key'
   cafile: '/home/openshift/Deployment/ssl-cert/DemoDevOpsrootCA.crt'


  • Same format applies for master as well. don’t forget to format it well.
  • So for the two certificate definitions, remove the *>* and the *{}* from the definitions and normalize the syntax as shown above.

Please check the below link for details,

Execute the playbook again and possibly the above problem should resolve.

ISSUE: If the certificate is not deployed to all worker nodes except master and few other nodes

Check the Inventory and look for any nodes under [new_nodes]

Just comment if any node is added there,  else playbook will deploy on this node only and all the nodes inside [new_nodes] will be skipped. 

As per the code evaluation, the first node looks for new_node and if not found then only it looks for a node group. So just make sure to remove any entry in the new node.

Try running the playbook again and see if the problem still persists

You may also need to look at,

How to Renew SSL Certificate of Your OpenShift Cluster – 3.x

Leave a Reply

Your email address will not be published. Required fields are marked *