You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We removed the certificate from our manifest and did a bosh deploy, and saw that the certificate was still in /etc/ssl/certs/ca-certificates.crt on our VM. We had to delete and recreate the VM to see the certificate removed from /etc/ssl/certs/ca-certificates.crt on our VM
Is this a known issue?
The text was updated successfully, but these errors were encountered:
Currently the only way to remove a certificate is, as you found, recreating the VM. While this is unexpected behavior, it was the tradeoff between trying to track certificates and either remove them during drain (when other services may still need to rely on custom CAs for connections) or do hacky things to try and remove them next time something tries to run after an update (since the ca_certs job would have been uninstalled by then).
Is this something you're noticing during development, or is this impacting you in other areas as well?
Prior to this change uaa was running into a race condition where if os-conf was co-located with uaa and if os-conf updated its certificates before uaa could load those certificates into its truststore then uaa would essentially miss out on loading those certs forever (even if you monit restart uaa)
os-conf not removing certificates does not affect uaa but it was unexpected when the PM was accepting this story.
This issue was closed because it has been labeled Stale for 7 days without subsequent activity. Feel free to re-open this issue at any time by commenting below.
We removed the certificate from our manifest and did a bosh deploy, and saw that the certificate was still in /etc/ssl/certs/ca-certificates.crt on our VM. We had to delete and recreate the VM to see the certificate removed from /etc/ssl/certs/ca-certificates.crt on our VM
Is this a known issue?
The text was updated successfully, but these errors were encountered: