Bug 1502838 - [3.9] Invalid entries in namedCertificates when using openshift_master_named_certificates
Summary: [3.9] Invalid entries in namedCertificates when using openshift_master_named_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.9.0
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: 3.9.0
Assignee: Russell Teague
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-16 20:12 UTC by Renato Puccini
Modified: 2018-03-28 14:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Alternative names in certificates were not being properly parsed. Consequence: Alternatives with 'email:' were being added as additional hostnames. Fix: Updated the logic to only add alternative names which begin with 'DNS:' Result: Proper parsing and updating of namedCertificates
Clone Of:
: 1538895 1538896 (view as bug list)
Environment:
Last Closed: 2018-03-28 14:07:14 UTC
Target Upstream Version:


Attachments (Terms of Use)
master-config.yaml after the execution of playbook. (7.79 KB, text/plain)
2017-10-16 20:12 UTC, Renato Puccini
no flags Details
/etc/ansible/hosts (4.93 KB, text/plain)
2017-10-16 20:24 UTC, Renato Puccini
no flags Details
pem file (9.04 KB, text/plain)
2017-10-16 20:24 UTC, Renato Puccini
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0489 None None None 2018-03-28 14:07:53 UTC

Description Renato Puccini 2017-10-16 20:12:35 UTC
Created attachment 1339436 [details]
master-config.yaml after the execution of playbook.

Description of problem:
During an OpenShift 3.6 installation, the playbook failed to finish because it could not start OpenShift master API service due to a misconfiguration on yaml file.
By the error message, the misconfiguration looks like is writing the email administration from the certificate on the DNS list. And that parameter it gets from the certificates deployed. So, since there is an email address on the DNS list, OpenShift master API service fails, due to an invalid address on the configuration file (master-config.yaml).

Because of this behavior(a bug?), the installation fails.

Workaround*:
To complete the installation without errors, we have verified what time the ansible playbook modifies the master-config.yaml file. So we edit the file removing the email address and save the file. When the playbook executes the task of starting the OpenShift Master API, it starts with the right parameters, since the file was modified and corrected.


All the parameters needed for the installation were applied on the hosts file (attached).
The .crt, .key, ca certificates are attached.
The master-config.yaml configured by the playbook is attached(with email line on DNS configuration).

Version-Release number of selected component (if applicable): OCP 3.6


How reproducible:
Having certificates with host and email set up.

Steps to Reproduce:
1. Install OCP 3.6 using ansible playbook
2. Must have all certificates signed by company CA
3.

Actual results:
master-config.yaml
Line #117:

namedCertificates:
  - certFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.crt
    keyFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.key
    names:
    - "email:hostmaster@iplanrio.rio.rj.gov.br"
    - "cloudbeta.rio.gov.br"

*Wrong line added: #221
    - "email:hostmaster@iplanrio.rio.rj.gov.br"



Expected results:
Playbook fails to start master-api service due to wrong entry on the master-config.yaml file.

Additional info:
Created By: Ryan Howe  (16/10/2017 17:59)
Looks like a bug with this:

https://github.com/openshift/openshift-ansible/blob/release-3.6/filter_plugins/oo_filters.py#L540-L607


Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 1 Renato Puccini 2017-10-16 20:24:08 UTC
Created attachment 1339438 [details]
/etc/ansible/hosts

Comment 2 Renato Puccini 2017-10-16 20:24:47 UTC
Created attachment 1339449 [details]
pem file

Comment 4 Russell Teague 2018-01-25 19:34:46 UTC
Proposed: https://github.com/openshift/openshift-ansible/pull/6878

Comment 5 Russell Teague 2018-01-26 03:25:25 UTC
Merged

Comment 7 Johnny Liu 2018-01-30 08:50:30 UTC
Verified this bug with openshift-ansible-3.9.0-0.31.0.git.0.e0a0ad8.el7.noarch, and PASS.

# cat /etc/origin/master/master-config.yaml
<--snip-->
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.crt
    keyFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.key
    names:
    - cloudbeta.rio.gov.br
<--snip-->

Comment 10 errata-xmlrpc 2018-03-28 14:07:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489


Note You need to log in before you can comment on or make changes to this bug.