Description of problem: STI build failed due to cert error. Version-Release number of selected component (if applicable): openshift-ansible-3.5.15-1.git.0.8d2a456.el7.noarch How reproducible: 100% Steps to Reproduce: 1. Prepare a environment 2. oc new project test 3. oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git Actual results: # oc logs -f bc/ruby-ex ... ---> Cleaning up unused ruby gems ... Pushing image 172.30.146.9:5000/weshi/ruby-ex:latest ... Registry server Address: Registry server User Name: serviceaccount Registry server Email: serviceaccount Registry server Password: <<non-empty>> error: build error: Failed to push image: Get https://172.30.146.9:5000/v1/_ping: x509: cannot validate certificate for 172.30.146.9 because it doesn't contain any IP SANs Expected results: STI build succeed Additional info: # ansible-playbook -i hosts -v /usr/share/ansible/openshift-ansible/playbooks/byo/config.yml ... TASK [openshift_hosted : Retrieve registry service IP] ************************* Monday 27 February 2017 07:06:15 +0000 (0:00:03.276) 0:20:11.120 ******* ok: [qe-weshi-all-in-one-master-1.0227-7sv.qe.rhcloud.com] => { "changed": false, "results": { "clusterip": "", "cmd": "/usr/bin/oc -n default get service docker-registry -o json", "results": [ {} ], "returncode": 0, "stderr": "Error from server (NotFound): services \"docker-registry\" not found\n", "stdout": "" }, "state": "list" } TASK [openshift_hosted : Create registry certificates] ************************* Monday 27 February 2017 07:06:17 +0000 (0:00:01.708) 0:20:12.828 ******* changed: [qe-weshi-all-in-one-master-1.0227-7sv.qe.rhcloud.com] => { "changed": true, "results": { "cmd": "/usr/bin/oc adm ca create-server-cert --cert=/etc/origin/master/registry.crt --hostnames=,docker-registry.default.svc.cluster.local,docker-registry-default.0227-7sv.qe.rhcloud.com --key=/etc/origin/master/registry.key --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt --signer-cert=/etc/origin/master/ca.crt --overwrite=True", "results": "", "returncode": 0 }, "state": "present" } ... # openssl x509 -in /etc/origin/master/registry.crt -text ... X509v3 Subject Alternative Name: DNS:, DNS:docker-registry-default.0227-7sv.qe.rhcloud.com, DNS:docker-registry.default.svc.cluster.local ...
It also needs to sign for DNS:docker-registry.default.svc as well as the service IP
The docker-registry service did not exist at the time it collected the service IP, therefore it failed to obtain the IP. Added a task to create the service. https://github.com/openshift/openshift-ansible/pull/3512
Seems the cert has been create correctly, but met another bug here: BZ# 1427378 # openssl x509 -in /etc/origin/master/registry.crt -text ... X509v3 Subject Alternative Name: DNS:docker-registry-default.0228-nqx.qe.rhcloud.com, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.131.16, IP Address:172.30.131.16 ...
Because of the docker registry was not created during installation(BZ# 1427378), and the docker registry is secure registry by default. It means a new cert must to created if need a new docker registry for STI build testing. Will test this when BZ# 1427378 fix.
Verified this bug with openshift-ansible-3.5.20-1.git.0.5a5fcd5.el7.noarch, and PASS. # openssl x509 -in /etc/origin/master/registry.crt -text X509v3 Subject Alternative Name: DNS:docker-registry-default.0302-obm.qe.rhcloud.com, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.136.182, IP Address:172.30.136.182 Though BZ#1427378 is only fix partially, need some other minor polish, following the workaround of comment #6 and #7 mentioned in BZ#1427378 to continue this bug verification. Sti build is passed without any cert error.