Bug 1881757

Summary: master node could not get ignition file with error "x509: certificate relies on legacy Common Name field"
Product: OpenShift Container Platform Reporter: jima
Component: InstallerAssignee: Abhinav Dahiya <adahiya>
Installer sub component: openshift-installer QA Contact: jima
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: adahiya, walters, wsun
Version: 4.6   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:44:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
error from vm console none

Description jima 2020-09-23 03:33:08 UTC 
Created attachment 1715907 [details]
error from vm console

Description of problem:
Install cluster upi on vsphere with ocp 4.6.0-0.nightly-2020-09-22-200146, rhcos template is 46.82.202009182140-0.

master nodes could not get ignition file and below error is shown in vm console:
x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

According to https://bugzilla.redhat.com/show_bug.cgi?id=1877995#c29, we may need to adjust the SAN of the certificate we generated.

Please see attached screenshot for this error.

Version-Release number of the following components:
4.6.0-0.nightly-2020-09-22-200146

How reproducible:
Always
Steps to Reproduce:
1. Install OCP with rhcos template "46.82.202009182140-0"
2.
3.

Actual results:
Cluster is installed failed.

Expected results:
Cluster is installed successfully

Additional info:
Comment 1 Abhinav Dahiya 2020-09-23 17:59:57 UTC 
cat dev/bootstrap.ign | jq -r '.storage.files[] | select(.path == "/opt/openshift/tls/machine-config-server.crt") | .contents.source' | cut -c 38- | base64 -d | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4744838048981034579 (0x41d90d10fa45a653)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU = openshift, CN = root-ca
        Validity
            Not Before: Sep 23 17:48:17 2020 GMT
            Not After : Sep 21 17:48:20 2030 GMT
        Subject: CN = api-int.adahiya-2.installer.gcp.devcluster.openshift.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ef:eb:f4:9a:a4:47:e4:fb:5b:26:01:06:c8:4a:
                    0b:0f:ff:2f:7f:24:b2:bf:3a:19:75:c4:08:a8:1c:
                    b4:8c:b3:47:9b:cc:8c:f5:23:f6:89:0b:23:08:36:
                    68:f6:23:5c:26:e2:3a:54:f1:6c:c5:74:19:78:d1:
                    83:15:a8:65:92:40:49:10:20:30:ec:9b:9f:04:ea:
                    df:60:55:3f:54:46:f7:6e:36:f9:32:c0:09:3c:88:
                    62:31:38:35:e9:f3:50:06:e0:43:9d:1b:e9:1a:a1:
                    cc:b0:c8:8b:dc:d6:2f:9d:e0:49:7f:ac:60:26:5e:
                    11:80:08:26:48:88:ff:7c:f8:b0:1b:38:6e:2f:ba:
                    86:63:f1:ba:79:ef:d9:dd:22:0d:ac:fd:4a:91:7e:
                    be:2b:5e:7b:96:71:0c:e9:52:57:75:55:32:45:bc:
                    5b:fe:6b:ca:e2:d7:9e:ce:9d:60:d3:71:69:41:08:
                    75:96:f2:62:5d:c3:29:e5:1d:51:43:5f:3a:28:0c:
                    53:ea:5a:65:1b:2d:f7:3c:99:60:c8:c5:c4:09:92:
                    04:72:00:90:ba:27:82:63:96:0b:c8:96:ce:b1:19:
                    9e:06:db:f3:5f:7f:94:cd:d6:e8:ff:a0:22:74:8f:
                    fb:53:cd:92:04:2f:07:84:3b:f4:48:e0:09:1c:f4:
                    36:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                D3:A9:B1:48:5C:B3:77:C4:75:69:2C:BB:DA:99:56:91:2F:30:7D:C9
            X509v3 Authority Key Identifier:
                keyid:FD:50:60:CC:3D:49:41:53:DB:21:F5:3E:AD:6E:DC:3A:A5:6E:C2:E7

            X509v3 Subject Alternative Name:
                DNS:api-int.adahiya-2.installer.gcp.devcluster.openshift.com
    Signature Algorithm: sha256WithRSAEncryption
         56:40:91:60:d8:9d:97:f1:91:40:48:60:e9:b4:28:67:42:8a:
         d6:e9:b1:16:a1:89:d9:b5:25:f2:ac:21:93:11:03:2f:1d:d1:
         1d:15:af:aa:54:9f:e6:ac:00:64:3f:b1:d2:d5:f8:8e:dd:91:
         8c:ee:35:5c:18:53:6e:5e:65:76:2b:6c:11:84:c4:56:28:b5:
         e3:8b:4e:f1:33:ff:d8:64:7a:f9:ad:49:69:1b:6f:49:f3:85:
         e3:de:9a:94:aa:a4:2f:3e:74:9b:dc:b7:76:67:3e:97:30:fd:
         fa:a3:57:51:95:fb:7c:4d:f4:e3:d6:ce:24:06:bc:c0:7f:fb:
         a6:c1:52:4f:e9:54:75:a7:25:95:1b:ef:58:57:e8:c9:01:69:
         7d:e6:02:8d:4a:04:06:2e:19:b1:06:90:0c:7a:18:e0:5b:66:
         2e:9b:65:3e:79:3e:f0:7f:20:5b:3e:0d:53:6e:cf:c1:e8:29:
         ce:a8:11:39:4c:0c:ed:2b:ce:e3:2e:0b:be:e1:f1:95:ef:15:
         8b:34:de:9d:01:65:a5:5d:84:d3:23:ad:e9:83:b1:c3:b6:0a:
         23:c7:7b:33:d1:80:c8:b2:12:5f:e1:4e:41:c5:68:9d:df:c5:
         ed:7b:a1:d0:a3:32:f0:a9:04:29:78:38:79:e2:8c:30:03:a8:
         05:8c:d6:14

The certs I tested created by the installer has SANs correctly setup. Can you help by fetching the cert that ignition is server in the cluster where you are seeing the error.?

maybe something like `openssl s_client -connect api-int.adahiya-2.installer.gcp.devcluster.openshift.com:22623`
Comment 2 Colin Walters 2020-09-23 19:16:04 UTC 
Right, the fact that this isn't failing across the board implies that there's something either wrong with just vSphere (UPI) or somehow the SANs for *this* particular install are wrong.
Comment 3 Scott Dodson 2020-09-24 19:48:49 UTC 
Jinyun,

Can you try to take a look at provide more information on this? We're baffled by why this is happening and would like to make sure we understand the problem before we make any changes.
Comment 6 jima 2020-09-29 05:34:08 UTC 
verified on upi on vsphere with ocp 4.6.0-0.nightly-2020-09-28-212756 and rhcos template rhcos-46.82.202009222340-0, installation is successful, so move the bug to VERIFIED.
Comment 9 errata-xmlrpc 2020-10-27 16:44:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196