Description of problem: Certificates configured as named certificates which have matching hostnames in CN and subjectAlternativeNames fields will cause duplicate names entries to be configured in /etc/origin/master/master-config.yaml when a "cafile" is specified. Ansible output: TASK [openshift_master : Start and enable master] ****************************** fatal: [master4.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service atomic-openshift-master: Job for atomic-openshift-master.service failed because the control process exited with error code. See \"systemctl status atomic-openshift-master.se} Master config section with duplicate names: namedCertificates: - certFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.crt keyFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.key names: - "master.flibberty-jibbet.com" - "master.flibberty-jibbet.com" - "internal-master.flibberty-jibbet.com" Journal entry from failed master service: servingInfo.namedCertificates[0].names[1]: Invalid value: "master.flibberty-jibbet.com": this name is already used in another named certificate Version-Release number of selected component (if applicable): atomic-openshift-utils-3.2.28-1.git.0.5a85fc5.el7.noarch openshift-ansible-3.2.28-1.git.0.5a85fc5.el7.noarch openshift-ansible-docs-3.2.28-1.git.0.5a85fc5.el7.noarch openshift-ansible-roles-3.2.28-1.git.0.5a85fc5.el7.noarch openshift-ansible-filter-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch openshift-ansible-lookup-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch openshift-ansible-playbooks-3.2.28-1.git.0.5a85fc5.el7.noarch How reproducible: Always. Steps to Reproduce: 1. Create CA and certificates with hostname (eg. master.flibberty-jibbet.com) set as CN and within subjectAlternativeNames. san.cnf contents: [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = North Carolina localityName = Locality Name (eg, city) localityName_default = Raleigh organizationalUnitName = Organizational Unit Name (eg, section) commonName = master.flibberty-jibbet.com commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = master.flibberty-jibbet.com DNS.2 = internal-master.flibberty-jibbet.com commands used to create certificates (be sure to set CN=master.flibberty-jibbet.com): openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -days 1024 -subj '/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=OpenShift/CN=flibberty-jibbet.com/emailAddress=none/' -out ca.crt openssl genrsa -out master.flibberty-jibbet.com.key 2048 openssl req -new -out master.flibberty-jibbet.com.csr -key master.flibberty-jibbet.com.key -config san.cnf openssl x509 -req -days 3650 -in master.flibberty-jibbet.com.csr -signkey master.flibberty-jibbet.com.key -out master.flibberty-jibbet.com.crt -extensions v3_req -extfile san.cnf 2. Configure host inventory with openshift_master_named_certificates containing certificate, key and CA files. openshift_master_named_certificates=[{"certfile": "/root/master.flibberty-jibbet.com.crt", "keyfile": "/root/master.flibberty-jibbet.com.key", "cafile": "/root/ca.crt"}] 3. Run openshift-ansible. Actual results: Master is unable to start because duplicate names are configured in namedCertificates config section. Expected results: Master starts normally (because the list of detected certificate names has been deduped). Additional info: Workaround is to set the "names" key in the openshift_master_named_certificate dictionary which will cause openshift-ansible to _not_ detect names in configured certificates. Note that openshift_master_overwrite_named_certificates=true must also be set in order to remove older named certificate config sections.
Fixed in master then picked into release-1.3 https://github.com/openshift/openshift-ansible/pull/2510
Verify this bug with openshift-ansible-3.3.28.1.git.0.762256b.el7 Prepare named certificates as required: ca.crt master.example.com.crt master.example.com.key result is listed here: [root@local-vm ~]# openssl x509 -in master.example.com.crt -text Certificate: ... Subject: C=US, ST=North Carolina, L=Raleigh, OU=OpenShift, CN=master.example.com ... X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:master.example.com, DNS:internal-master.example.com ... [root@master ~]# cat /etc/origin/master/master-config.yaml ... namedCertificates: - certFile: /etc/origin/master/named_certificates/master.example.com.crt keyFile: /etc/origin/master/named_certificates/master.example.com.key names: - "internal-master.example.com" - "master.example.com" ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1983