Updating OpenShift cluster certificates

This document provides instructions on updating the certificates for the OpenShift 4.x cluster’s router and API server using Let’s Encrypt service.

1. Prerequisites

Before updating certificates, make sure you have the following:

  1. Your cluster role is cluster-admin.

  2. OpenShift CLI (oc cli) is installed.

  3. You can create and edit DNS records in the hosted zone which contains the domain name of the cluster. In this document, we’ll refer to this domain name as DNS_WILDCARD.

  4. Certbot is installed.
    To learn how to install Certbot, refer to Certbot instructions.

    On the Certbot instructions page, select the following options:

    • My HTTP website is running: select Other.

    • on: select your operating system (for example, macOS).
    Certbot instructions page
    Figure 1. Certbot instructions page
    Performing any instructions other than installing Certbot is not necessary.

2. Updating certificates

  1. Start the console as a user with sudo privileges.

  2. Run the following command:

    certbot certonly --manual

  3. First run only: when prompted, enter your email address and agree to the terms of use, then choose whether you wish to share your email with the Electronic Frontier Foundation.

    Specify domain names for certificates:

    • *.<DNS_WILDCARD>.

      For example: *.openshift.example.com.

    • *.apps.<DNS_WILDCARD>.

      For example: *.apps.openshift.example.com.

  4. Perform this optional step:

    If you get the following message: "You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.", select the Renew & replace the certificate option.

  5. In the hosted zone which contains the DNS_WILDCARD of the cluster, create the TXT records required by Certbot. Before you hit Enter, make sure the record exists and is up-to-date by running the following command in a different console window:

    nslookup -type=txt <dns_record>
    Checking the record
    Figure 2. Verifying the record

  6. If the certificate is issued successfully, you will get a corresponding message with the path to the key and certificate chain files:

    Certificate saved successfully
    Figure 3. Certificate saved successfully

  7. Delete the old router and API secret by running these commands:

    oc delete secret router-certs -n openshift-ingress
oc delete secret router-certs -n openshift-config

  8. Create the new router and API secret by running these commands:

    oc create secret tls router-certs --cert=<fullchain.pem>
--key=<privkey.pem> -n openshift-ingress
oc create secret tls router-certs --cert=<fullchain.pem>
--key=<privkey.pem> -n openshift-config

  9. Delete router pods by running the following command:

    oc delete pods --all -n openshift-ingress