Deleted Certificate from os-conf still shows up in /etc/ssl/certs/ca-certificates.crt

[tnwang]

We removed the certificate from our manifest and did a bosh deploy, and saw that the certificate was still in /etc/ssl/certs/ca-certificates.crt on our VM. We had to delete and recreate the VM to see the certificate removed from /etc/ssl/certs/ca-certificates.crt on our VM

Is this a known issue?

[dpb587-pivotal]

Currently the only way to remove a certificate is, as you found, recreating the VM. While this is unexpected behavior, it was the tradeoff between trying to track certificates and either remove them during drain (when other services may still need to rely on custom CAs for connections) or do hacky things to try and remove them next time something tries to run after an update (since the ca_certs job would have been uninstalled by then).

Is this something you're noticing during development, or is this impacting you in other areas as well?

[DennisDenuto]

Hey @dpb587-pivotal fyi, the uaa team has made some changes to how/when uaa loads certificates into its java truststore. See cloudfoundry/uaa-release#71

Prior to this change uaa was running into a race condition where if os-conf was co-located with uaa and if os-conf updated its certificates before uaa could load those certificates into its truststore then uaa would essentially miss out on loading those certs forever (even if you monit restart uaa)

os-conf not removing certificates does not affect uaa but it was unexpected when the PM was accepting this story.

[dpb587-pivotal]

Thanks for the link - glad the race condition is improved.

I think this has come up before in Slack, so I'll leave this open for discoverability since it's currently a technical limitation of BOSH releases.

[bosh-admin-bot]

This issue was closed because it has been labeled Stale for 7 days without subsequent activity. Feel free to re-open this issue at any time by commenting below.