Custom CA cert renewal

[DavidMachacek]

Hello,

as step 1 I created custom CA as described in https://github.com/scholzj/strimzi-custom-ca-test for my strimzi clusteru (lets call it "source cluster"). Everything works fine, but now i need to expose the certificate using OpenShift's route in order to back the up in another cluster using mirror maker2. In order to do this I need to register a new SAN into source cluster.

In order to do that I took the original intermediate pem/key (output-b01/intermediate.pem -ca-key output-b01/intermediate-key.pem) from step 1 and used them to generate a new cluster certificates:

cfssl sign -config config.json -profile clusterCA \
-ca output-b01/intermediate.pem -ca-key output-b01/intermediate-key.pem \
output-b01-updated/b01-cluster-updated.csr output-b01-updated/b01-cluster-updated.json | cfssljson -bare output-b01-

cat output-b01-updated/b01-cluster-updated.pem > output-b01-updated/b01-cluster-updated-bundle.crt
cat output-b01/intermediate.pem >> output-b01-updated/b01-cluster-updated-bundle.crt
cat output-b01/ca.pem >> output-b01-updated/b01-cluster-updated-bundle.crt

Config for new certificate is
{ "CN": "INF-TOCP Kafka ClusterCA", "hosts": [ "b01-kafka-mmexternal-bootstrap-infra-kafka.apps.b01-tocp.xxx.xx" ], "names": [ { "C": "xxx", "L": "xxx", "O": "xxx" } ], "key": { "algo": "rsa", "size": 2048 } }

and created a new secrets with updated strimzi.io/ca-key-generation annotation:

apiVersion: v1
kind: Secret
metadata:
  annotations:
    strimzi.io/ca-key-generation: "1"
    strimzi.io/ca-cert-generation: "1"
  name: b01-cluster-ca
  labels:
    strimzi.io/cluster: b01
    strimzi.io/kind: Kafka
type: Opaque
data:
  ca.crt: xxx
  ca.p12: xxx
  ca.password: xxx

apiVersion: v1
kind: Secret
metadata:
  annotations:
    strimzi.io/ca-key-generation: "1"
    strimzi.io/ca-cert-generation: "1"
  name: b01-cluster-ca
  labels:
    strimzi.io/cluster: b01
    strimzi.io/kind: Kafka
type: Opaque
data:
  ca.key: xxx

After applying these updated secrets, the operator starts to restart pod with kafka broker. But it fails with
$ oc logs -f b01-kafka-1 removed directory '/tmp/hsperfdata_1000820000' removed '/tmp/kafka/cluster.truststore.p12' removed directory '/tmp/kafka' STRIMZI_BROKER_ID=1 Preparing truststore for replication listener Adding /opt/kafka/cluster-ca-certs/ca.crt to truststore /tmp/kafka/cluster.truststore.p12 with alias ca Certificate was added to keystore Preparing truststore for replication listener is complete Looking for the CA matching the server certificate No CA matching the server certificate found. This process will exit with failure.

Is this approach correct, or am i doing something wrong?

[scholzj]

SANs have nothing to do with the CAs. They are in the server certificates. If you need to add new SANs to the server certificates, you can do it for example this way: https://strimzi.io/docs/operators/latest/full/configuring.html#property-listener-config-altnames-reference. But the Route names should already be part of the SANs if you use type: route.