Bug 1743950
| Summary: | full chain in custom CA causes controllers to crashloopback | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Vladislav Walek <vwalek> |
| Component: | Installer | Assignee: | Joseph Callen <jcallen> |
| Installer sub component: | openshift-ansible | QA Contact: | Gaoyun Pei <gpei> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | unspecified | CC: | aos-bugs, bparees, deads, gpei, jcallen, mfojtik |
| Version: | 3.11.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 3.11.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-24 08:08:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I don't know. I'd try the install team. Verify this bug with openshift-ansible-3.11.146-1.git.0.fcedb45.el7.noarch.rpm
1) With a ca-chain cert set in openshift_master_ca_certificate, run playbooks/openshift-master/redeploy-openshift-ca.yml
openshift_master_ca_certificate={"certfile": "/path/to/files/ca/ca-chain.cert.pem", "keyfile": "/path/to/files/ca/intermediate.key.pem"}
It will fail as below:
TASK [Validate openshift_master_ca_certificate when defined] *******************
fatal: [ci-vm-10-0-151-103.hosted.upshift.rdu2.redhat.com]: FAILED! => {"changed": false, "msg": "If defined, openshift_master_ca_certificate must include two parameters: certfile and keyfile. The certfile parameter must contain only the single certificate that signs the OpenShift Container Platform certificates. If you have intermediate certificates in your chain, you must bundle them into a different file. See https://docs.openshift.org/latest/install_config/redeploying_certificates.html#redeploying-new-custom-ca\n"}
to retry, use: --limit @/home/slave6/workspace/Run-Ansible-Playbooks-Nextge/private-openshift-ansible/playbooks/openshift-master/redeploy-openshift-ca.retry
2) With a ca-chain cert set in openshift_additional_ca, and intermediate CA set in openshift_master_ca_certificate
openshift_additional_ca=/path/to/files/ca/ca-chain.cert.pem
openshift_master_ca_certificate={"certfile": "/path/to/files/ca/intermediate.cert.pem", "keyfile": "/path/to/files/ca/intermediate.key.pem"}
playbooks/openshift-master/redeploy-openshift-ca.yml could finished successfully.
Check on the master:
* /etc/origin/master/ca.crt was updated as the specified intermediate CA
* /etc/origin/master/additional_ca.crt was updated as the specified ca-chain CA
* /etc/origin/master/ca-bundle.crt was updated as old openshift CA & the specified ca-chain CA
* /etc/origin/node/client-ca.crt was updated as the new content of /etc/origin/master/ca-bundle.crt
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2816 |
Description of problem: the controllers service fails to start due: E0821 00:05:30.608953 1 controllermanager.go:483] Error starting "csrsigning" F0821 00:05:30.608976 1 controllermanager.go:188] error starting controllers: failed to start certificate controller: error parsing CA cert file "/etc/origin/master/ca.crt": {"code":1003,"message":"the PEM file should contain only one object"} my ca actually contains two certificates the full chain - root and ca. The docs are actually saying that the: If the CA certificate is issued by an intermediate CA, the bundled certificate must contain the full chain (the intermediate and root certificates) for the CA in order to validate child certificates. https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html#redeploying-new-custom-ca Version-Release number of selected component (if applicable): OpenShift Container Platfrom 3.11 atomic-openshift-3.11.117-1.git.0.14e54a3.el7.x86_64 How reproducible: reproducible on my lab Steps to Reproduce: 1. create pem cert containing the full chain certs 2. redeploy with playbook 3. check the controllers service Actual results: Expected results: Additional info: actually customer is hitting the same issue - running reproducer for customer