Fix Expired Certificate Issue on Ganeti cluster

When the certificate expires on a ganeti cluster you will get these error messages when starting the ganeti service:

(0) root@server ~
# gnt-instance list
Cannot communicate with the master daemon.
Is it running and listening for connections?
(1) root@server ~
# gnt-cluster getmaster
sever.gnt6.fog.priv
(0) root@server ~
# ls /var/lib/ganeti/ssconf_master_node
/var/lib/ganeti/ssconf_master_node
(0) root@server ~
# cat /var/lib/ganeti/ssconf_master_node
sever.gnt6.fog.priv
(0) root@server ~
# /etc/init.d/ganeti start
Starting Ganeti cluster:ganeti-noded...done.
ganeti-masterd...ERROR:root:RPC error in master_info from node X: Error 60: server certificate verification failed. CAfile: /var/lib/ganeti/server.pem CRLfile: none
ERROR:root:RPC error in master_info from node X: Error 60: server certificate verification failed. CAfile: /var/lib/ganeti/server.pem CRLfile: none
ERROR:root:RPC error in master_info from node Y: Error 60: server certificate verification failed. CAfile: /var/lib/ganeti/server.pem CRLfile: none
ERROR:root:RPC error in master_info from node Z: Error 60: server certificate verification failed. CAfile: /var/lib/ganeti/server.pem CRLfile: none
CRITICAL:root:Cluster inconsistent, most of the nodes didn't answer after multiple retries. Aborting startup
CRITICAL:root:Use the --no-voting option if you understand what effects it has on the cluster state
failed (exit code 1).
ganeti-rapi...done.
ganeti-confd...done.
(0) root@sever ~
# gnt-instance list
Cannot communicate with the master daemon.
Is it running and listening for connections?
(1) root@server ~

Checking the certificate, you see that it has expired. To solve this issue, on the current (but broken) master, create a new certificate:

# cp /var/lib/ganeti/server.pem ~/expired.server.pem
# openssl req -new -newkey rsa:1024 -days 1825 -nodes -x509 -keyout /var/lib/ganeti/server.pem -out /var/lib/ganeti/server.pem -batch &&
# chmod 0400 /var/lib/ganeti/server.pem
Then run this script to copy this new certificate to all nodes in the cluster:
#!/bin/sh
for i in X Y Z
do
       ssh $i "cp /var/lib/ganeti/server.pem ~/"
       scp newserver.pem $i:/var/lib/ganeti/server.pem
       ssh $i "chmod 0400 /var/lib/ganeti/server.pem"
       ssh $i "/etc/init.d/ganeti restart"
done
/etc/init.d/ganeti restart

Note it will restart the ganeti service on all the non-master nodes before restarting the service on the master node.

Examine Certificate for expiration date

(0) root@server /var/log/ganeti
# openssl x509 -in /var/lib/ganeti/server.pem -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ganeti.example.com
        Validity
            Not Before: Mar 15 19:33:15 2012 GMT
            Not After : Mar 14 19:33:15 2017 GMT
        Subject: CN=ganeti.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ca:0a:cc:87:15:e5:00:7f:b0:00:21:31:3e:52:
                    09:b6:35:d3:7b:b5:60:c0:4a:e9:9c:ad:0f:cc:d8:
                    f8:2e:02:d3:fb:11:c1:77:b4:cf:1a:5a:6d:7f:7c:
                    a8:49:20:fe:df:bc:fa:94:55:a6:26:a6:9e:54:b8:
                    96:f7:aa:8d:20:a9:6f:25:64:f6:1c:89:27:c3:5c:
                    94:48:83:94:4f:2f:1b:b2:a3:ae:7f:79:d7:dc:e9:
                    29:c6:d9:88:63:8a:20:4d:03:48:7f:1e:1e:94:9c:
                    01:76:96:33:c4:46:f3:74:62:b5:af:fc:4a:99:e5:
                    b5:6f:b7:52:d5:6b:f8:a4:b0:40:7b:11:3f:6c:8d:
                    c5:ef:9e:83:02:58:10:8e:fd:03:75:4f:3e:df:95:
                    71:59:80:e8:b3:01:73:e1:a3:af:20:2c:3d:71:9b:
                    13:92:72:9c:98:ac:d4:f5:3a:f7:27:49:0c:e1:8d:
                    ed:65:18:6f:52:08:ec:11:e8:e6:c9:e6:a0:a2:3d:
                    d4:2a:3b:09:ab:09:8f:21:43:d6:95:17:55:1d:3b:
                    06:c9:e2:76:56:8f:61:bd:1f:52:96:b3:70:93:61:
                    62:ba:52:74:ef:78:51:1f:20:64:a8:5d:d1:fa:d7:
                    a6:87:9d:d0:0b:eb:19:39:ca:ed:c5:65:a1:c3:b7:
                    ac:3d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        01:3c:b6:0f:a6:90:92:5c:4b:07:c0:16:85:a7:11:e1:fd:22:
        42:df:69:d1:be:e8:19:68:f7:40:85:af:e1:c3:30:ee:ea:7b:
        c0:ea:bc:2c:23:a2:c5:2f:65:11:d1:62:8f:da:d8:d2:01:9f:
        f8:e6:47:32:cf:e5:d1:7e:73:0d:42:20:43:19:e0:9c:3a:d7:
        a2:f9:43:b8:ca:f0:cb:2d:ae:20:d3:e7:36:c4:e5:b8:ba:c5:
        4b:96:3d:67:6a:9b:69:32:50:ba:d4:23:54:f9:ec:a5:02:25:
        29:1d:4f:b5:3f:46:e1:5f:55:0e:a5:ef:5f:dd:ca:eb:c6:8e:
        63:44:18:5c:40:a8:8d:4e:28:b2:f8:52:09:39:bd:c0:bb:80:
        c9:58:43:3d:85:2c:35:7f:da:1e:cf:ce:8f:d2:43:fd:09:fe:
        ef:0f:09:d8:a9:f9:64:d5:2d:a2:15:25:fe:e7:30:a9:18:ab:
        68:83:d0:df:1e:41:1c:3e:a6:10:f0:26:59:7b:d0:16:02:74:
        e8:f7:69:e6:64:be:50:a8:92:de:82:4a:22:f7:f2:c3:d8:4b:
        ad:2a:12:13:bb:0a:ff:fa:0c:1d:eb:f6:f3:e2:63:26:1e:01:
        a6:3b:55:65:5c:ec:11:aa:99:67:7e:95:a8:5f:73:c6:fa:7b:
        5c:4e:2f:21
(0) root@server /var/log/ganeti
#