Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1669439

Summary: When running upgrade playbook, received the error: 'UnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range (128)'
Product: OpenShift Container Platform Reporter: David Caldwell <dcaldwel>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Installer sub component: openshift-ansible QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: gpei, rsandu, vrutkovs
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-20 14:11:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Caldwell 2019-01-25 09:55:28 UTC 
Description of problem:

Using custom certificates with an umlaut character (eg, 'Ü') in the address and then running either:

ansible-playbook -v playbooks/byo/openshift-cluster/upgrades/v3_11/upgrade_nodes.yml

or

ansible-playbook -v playbooks/openshift-checks/certificate_expiry/easy-mode.yaml

causes the error, UnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range (128)


Version-Release number of the following components:

# oc version
oc v3.11.59
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://master.ocp.internal.adcubum.com:443
openshift v3.11.59
kubernetes v1.11.0+d4cacc0

# rpm -q openshift-ansible
openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch

# rpm -q ansible
ansible-2.6.12-1.el7ae.noarch

# ansible --version
ansible 2.6.12
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]


How reproducible:

Steps to Reproduce:
1. Create custom cert and enter the address with a character such as 'Ü'.
2. Try running a playbook that parses the certs such as upgrade_nodes.yaml


Actual results:

PLAY [Check cert expirys] ******************************************************************************************************************

TASK [openshift_certificate_expiry : Ensure python dateutil library is present] ************************************************************
Wednesday 23 January 2019  23:44:00 +0100 (0:00:00.871)       0:00:00.871 ***** 
ok: [adzh-srlp-on01.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-on03.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-on02.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-om01.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-on04.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-om02.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-on05.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-om03.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-oin03.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-on06.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-oin01.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-oin02.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-on07.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-oin04.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}
ok: [adzh-srlp-on08.intern.cube.ch] => {"changed": false, "msg": "", "rc": 0, "results": ["python-dateutil-1.5-7.el7.noarch providing python-dateutil is already installed"]}

TASK [openshift_certificate_expiry : Check cert expirys on host] ***************************************************************************
Wednesday 23 January 2019  23:44:17 +0100 (0:00:17.074)       0:00:17.945 ***** 
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-oin01.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_X3PxoC/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_X3PxoC/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_X3PxoC/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-oin02.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_0WfLMI/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_0WfLMI/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_0WfLMI/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-oin03.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_lPSEM2/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_lPSEM2/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_lPSEM2/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-oin04.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_z9Nxbg/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_z9Nxbg/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_z9Nxbg/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
ok: [adzh-srlp-om02.intern.cube.ch] => {"changed": false, "check_results": {"etcd": [{"cert_cn": "CN:etcd-signer@1513157280", "days_remaining": 1418, "expiry": "2022-12-12 09:29:42", "health": "ok", "path": "/etc/etcd/ca.crt", "serial": 15347044646839665117, "serial_hex": "0xd4fba7cb4ef041ddL"}, {"cert_cn": "CN:adzh-srlp-om02.intern.cube.ch, IP Address:172.22.204.12, DNS:adzh-srlp-om02.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:30:17", "health": "ok", "path": "/etc/etcd/server.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:adzh-srlp-om02.intern.cube.ch, IP Address:172.22.204.12, DNS:adzh-srlp-om02.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:30:20", "health": "ok", "path": "/etc/etcd/peer.crt", "serial": 6, "serial_hex": "0x6"}], "kubeconfigs": [{"cert_cn": "O:system:cluster-admins, CN:system:admin", "days_remaining": 406, "expiry": "2020-03-05 13:17:06", "health": "ok", "path": "/etc/origin/master/admin.kubeconfig", "serial": 15, "serial_hex": "0xf"}, {"cert_cn": "O:system:masters, O:system:openshift-master, CN:system:openshift-master", "days_remaining": 406, "expiry": "2020-03-05 13:17:28", "health": "ok", "path": "/etc/origin/master/openshift-master.kubeconfig", "serial": 19, "serial_hex": "0x13"}], "meta": {"checked_at_time": "2019-01-23 23:44:18.765518", "show_all": "True", "warn_before_date": "2019-02-22 23:44:18.765518", "warning_days": 30}, "ocp_certs": [{"cert_cn": "CN:10.120.0.1, DNS:adzh-srlp-om02.intern.cube.ch, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:master.ocp.internal.adcubum.com, DNS:mgmt.ocp.internal.adcubum.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:10.120.0.1, DNS:172.22.204.12, IP Address:10.120.0.1, IP Address:172.22.204.12", "days_remaining": 406, "expiry": "2020-03-05 13:17:23", "health": "ok", "path": "/etc/origin/master/master.server.crt", "serial": 17, "serial_hex": "0x11"}, {"cert_cn": "CN:system:master-proxy", "days_remaining": 406, "expiry": "2020-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/master.proxy-client.crt", "serial": 11, "serial_hex": "0xb"}, {"cert_cn": "O:system:node-admins, CN:system:openshift-node-admin", "days_remaining": 406, "expiry": "2020-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/master.kubelet-client.crt", "serial": 12, "serial_hex": "0xc"}, {"cert_cn": "CN:adzh-srlp-om02.intern.cube.ch, IP Address:172.22.204.12, DNS:adzh-srlp-om02.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:38:53", "health": "ok", "path": "/etc/origin/master/master.etcd-client.crt", "serial": 8, "serial_hex": "0x8"}, {"cert_cn": "CN:etcd-signer@1513157280", "days_remaining": 1418, "expiry": "2022-12-12 09:29:42", "health": "ok", "path": "/etc/origin/master/master.etcd-ca.crt", "serial": 15347044646839665117, "serial_hex": "0xd4fba7cb4ef041ddL"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/master/ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-service-serving-signer@1520342225", "days_remaining": 1501, "expiry": "2023-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/service-signer.crt", "serial": 1, "serial_hex": "0x1"}], "registry": [{"cert_cn": "CN:10.120.46.227, DNS:docker-registry-default.ocp.internal.adcubum.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:10.120.46.227, IP Address:10.120.46.227", "days_remaining": 323, "expiry": "2019-12-13 10:11:43", "health": "ok", "path": "/api/v1/namespaces/default/secrets/registry-certificates", "serial": 40, "serial_hex": "0x28"}], "router": []}, "msg": "Checked 15 total certificates. Expired/Warning/OK: 0/0/15. Warning window: 30 days", "rc": 0, "summary": {"etcd_certificates": 3, "expired": 0, "kubeconfig_certificates": 2, "ok": 15, "registry_certs": 1, "router_certs": 0, "system_certificates": 9, "total": 15, "warning": 0}, "warn_certs": false}
ok: [adzh-srlp-om03.intern.cube.ch] => {"changed": false, "check_results": {"etcd": [{"cert_cn": "CN:etcd-signer@1513157280", "days_remaining": 1418, "expiry": "2022-12-12 09:29:42", "health": "ok", "path": "/etc/etcd/ca.crt", "serial": 15347044646839665117, "serial_hex": "0xd4fba7cb4ef041ddL"}, {"cert_cn": "CN:adzh-srlp-om03.intern.cube.ch, IP Address:172.22.204.13, DNS:adzh-srlp-om03.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:30:18", "health": "ok", "path": "/etc/etcd/server.crt", "serial": 3, "serial_hex": "0x3"}, {"cert_cn": "CN:adzh-srlp-om03.intern.cube.ch, IP Address:172.22.204.13, DNS:adzh-srlp-om03.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:30:20", "health": "ok", "path": "/etc/etcd/peer.crt", "serial": 5, "serial_hex": "0x5"}], "kubeconfigs": [{"cert_cn": "O:system:cluster-admins, CN:system:admin", "days_remaining": 406, "expiry": "2020-03-05 13:17:06", "health": "ok", "path": "/etc/origin/master/admin.kubeconfig", "serial": 15, "serial_hex": "0xf"}, {"cert_cn": "O:system:masters, O:system:openshift-master, CN:system:openshift-master", "days_remaining": 406, "expiry": "2020-03-05 13:17:30", "health": "ok", "path": "/etc/origin/master/openshift-master.kubeconfig", "serial": 20, "serial_hex": "0x14"}], "meta": {"checked_at_time": "2019-01-23 23:44:18.765498", "show_all": "True", "warn_before_date": "2019-02-22 23:44:18.765498", "warning_days": 30}, "ocp_certs": [{"cert_cn": "CN:10.120.0.1, DNS:adzh-srlp-om03.intern.cube.ch, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:master.ocp.internal.adcubum.com, DNS:mgmt.ocp.internal.adcubum.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:10.120.0.1, DNS:172.22.204.13, IP Address:10.120.0.1, IP Address:172.22.204.13", "days_remaining": 406, "expiry": "2020-03-05 13:17:26", "health": "ok", "path": "/etc/origin/master/master.server.crt", "serial": 18, "serial_hex": "0x12"}, {"cert_cn": "CN:system:master-proxy", "days_remaining": 406, "expiry": "2020-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/master.proxy-client.crt", "serial": 11, "serial_hex": "0xb"}, {"cert_cn": "O:system:node-admins, CN:system:openshift-node-admin", "days_remaining": 406, "expiry": "2020-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/master.kubelet-client.crt", "serial": 12, "serial_hex": "0xc"}, {"cert_cn": "CN:adzh-srlp-om03.intern.cube.ch, IP Address:172.22.204.13, DNS:adzh-srlp-om03.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:38:53", "health": "ok", "path": "/etc/origin/master/master.etcd-client.crt", "serial": 9, "serial_hex": "0x9"}, {"cert_cn": "CN:etcd-signer@1513157280", "days_remaining": 1418, "expiry": "2022-12-12 09:29:42", "health": "ok", "path": "/etc/origin/master/master.etcd-ca.crt", "serial": 15347044646839665117, "serial_hex": "0xd4fba7cb4ef041ddL"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/master/ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-service-serving-signer@1520342225", "days_remaining": 1501, "expiry": "2023-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/service-signer.crt", "serial": 1, "serial_hex": "0x1"}], "registry": [{"cert_cn": "CN:10.120.46.227, DNS:docker-registry-default.ocp.internal.adcubum.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:10.120.46.227, IP Address:10.120.46.227", "days_remaining": 323, "expiry": "2019-12-13 10:11:43", "health": "ok", "path": "/api/v1/namespaces/default/secrets/registry-certificates", "serial": 40, "serial_hex": "0x28"}], "router": []}, "msg": "Checked 15 total certificates. Expired/Warning/OK: 0/0/15. Warning window: 30 days", "rc": 0, "summary": {"etcd_certificates": 3, "expired": 0, "kubeconfig_certificates": 2, "ok": 15, "registry_certs": 1, "router_certs": 0, "system_certificates": 9, "total": 15, "warning": 0}, "warn_certs": false}
ok: [adzh-srlp-om01.intern.cube.ch] => {"changed": false, "check_results": {"etcd": [{"cert_cn": "CN:etcd-signer@1513157280", "days_remaining": 1418, "expiry": "2022-12-12 09:29:42", "health": "ok", "path": "/etc/etcd/ca.crt", "serial": 15347044646839665117, "serial_hex": "0xd4fba7cb4ef041ddL"}, {"cert_cn": "CN:adzh-srlp-om01.intern.cube.ch, IP Address:172.22.204.26, DNS:adzh-srlp-om01.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:30:17", "health": "ok", "path": "/etc/etcd/server.crt", "serial": 2, "serial_hex": "0x2"}, {"cert_cn": "CN:adzh-srlp-om01.intern.cube.ch, IP Address:172.22.204.26, DNS:adzh-srlp-om01.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:30:20", "health": "ok", "path": "/etc/etcd/peer.crt", "serial": 4, "serial_hex": "0x4"}], "kubeconfigs": [{"cert_cn": "O:system:cluster-admins, CN:system:admin", "days_remaining": 406, "expiry": "2020-03-05 13:17:06", "health": "ok", "path": "/etc/origin/master/admin.kubeconfig", "serial": 15, "serial_hex": "0xf"}, {"cert_cn": "O:system:masters, O:system:openshift-master, CN:system:openshift-master", "days_remaining": 406, "expiry": "2020-03-05 13:17:10", "health": "ok", "path": "/etc/origin/master/openshift-master.kubeconfig", "serial": 16, "serial_hex": "0x10"}], "meta": {"checked_at_time": "2019-01-23 23:44:18.782321", "show_all": "True", "warn_before_date": "2019-02-22 23:44:18.782321", "warning_days": 30}, "ocp_certs": [{"cert_cn": "CN:10.120.0.1, DNS:adzh-srlp-om01.intern.cube.ch, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:master.ocp.internal.adcubum.com, DNS:mgmt.ocp.internal.adcubum.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:10.120.0.1, DNS:172.22.204.26, IP Address:10.120.0.1, IP Address:172.22.204.26", "days_remaining": 406, "expiry": "2020-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/master.server.crt", "serial": 10, "serial_hex": "0xa"}, {"cert_cn": "CN:system:master-proxy", "days_remaining": 406, "expiry": "2020-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/master.proxy-client.crt", "serial": 11, "serial_hex": "0xb"}, {"cert_cn": "O:system:node-admins, CN:system:openshift-node-admin", "days_remaining": 406, "expiry": "2020-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/master.kubelet-client.crt", "serial": 12, "serial_hex": "0xc"}, {"cert_cn": "CN:adzh-srlp-om01.intern.cube.ch, IP Address:172.22.204.26, DNS:adzh-srlp-om01.intern.cube.ch", "days_remaining": 1418, "expiry": "2022-12-12 09:38:53", "health": "ok", "path": "/etc/origin/master/master.etcd-client.crt", "serial": 7, "serial_hex": "0x7"}, {"cert_cn": "CN:etcd-signer@1513157280", "days_remaining": 1418, "expiry": "2022-12-12 09:29:42", "health": "ok", "path": "/etc/origin/master/master.etcd-ca.crt", "serial": 15347044646839665117, "serial_hex": "0xd4fba7cb4ef041ddL"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/master/ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-signer@1519932598", "days_remaining": 1496, "expiry": "2023-02-28 19:29:58", "health": "ok", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1"}, {"cert_cn": "CN:openshift-service-serving-signer@1520342225", "days_remaining": 1501, "expiry": "2023-03-05 13:17:05", "health": "ok", "path": "/etc/origin/master/service-signer.crt", "serial": 1, "serial_hex": "0x1"}], "registry": [{"cert_cn": "CN:10.120.46.227, DNS:docker-registry-default.ocp.internal.adcubum.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:10.120.46.227, IP Address:10.120.46.227", "days_remaining": 323, "expiry": "2019-12-13 10:11:43", "health": "ok", "path": "/api/v1/namespaces/default/secrets/registry-certificates", "serial": 40, "serial_hex": "0x28"}], "router": []}, "msg": "Checked 15 total certificates. Expired/Warning/OK: 0/0/15. Warning window: 30 days", "rc": 0, "summary": {"etcd_certificates": 3, "expired": 0, "kubeconfig_certificates": 2, "ok": 15, "registry_certs": 1, "router_certs": 0, "system_certificates": 9, "total": 15, "warning": 0}, "warn_certs": false}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on01.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_HxqIkv/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_HxqIkv/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_HxqIkv/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on02.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_QvNG66/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_QvNG66/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_QvNG66/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on03.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_fLF3lS/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_fLF3lS/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_fLF3lS/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on04.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_0oIs2J/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_0oIs2J/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_0oIs2J/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on05.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_7g2Klk/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_7g2Klk/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_7g2Klk/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on06.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_rcYxUa/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_rcYxUa/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_rcYxUa/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on07.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_6I8d1u/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_6I8d1u/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_6I8d1u/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 1: ordinal not in range(128)
fatal: [adzh-srlp-on08.intern.cube.ch]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_9iLyqM/ansible_module_openshift_cert_expiry.py\", line 835, in <module>\n    main()\n  File \"/tmp/ansible_9iLyqM/ansible_module_openshift_cert_expiry.py\", line 549, in main\n    cert_serial) = load_and_handle_cert(cert, now, ans_module=module)\n  File \"/tmp/ansible_9iLyqM/ansible_module_openshift_cert_expiry.py\", line 292, in load_and_handle_cert\n    cert_subjects.append('{}:{}'.format(name, value))\nUnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 1: ordinal not in range(128)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}

TASK [openshift_certificate_expiry : Generate expiration report HTML] **********************************************************************
Wednesday 23 January 2019  23:44:27 +0100 (0:00:10.119)       0:00:28.065 ***** 
changed: [adzh-srlp-om01.intern.cube.ch -> localhost] => {"changed": true, "checksum": "8775431fb17026f7f7737869476601a910976ef5", "dest": "/root/cert-expiry-report.20190123T233900.html", "gid": 0, "group": "root", "md5sum": "fe11d05bcecefaeaea4d9dc1aea1359f", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:admin_home_t:s0", "size": 33083, "src": "/root/.ansible/tmp/ansible-tmp-1548283468.04-69839707792186/source", "state": "file", "uid": 0}

TASK [openshift_certificate_expiry : Generate results JSON file] ***************************************************************************
Wednesday 23 January 2019  23:44:32 +0100 (0:00:04.345)       0:00:32.410 ***** 
changed: [adzh-srlp-om01.intern.cube.ch -> localhost] => {"changed": true, "checksum": "000cf7f8122aa28a45e3bb59a102d6451a64d11b", "dest": "/root/cert-expiry-report.20190123T233900.json", "gid": 0, "group": "root", "md5sum": "5e7aa5588de23cbabc16d4a1a42561fd", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:admin_home_t:s0", "size": 17186, "src": "/root/.ansible/tmp/ansible-tmp-1548283474.82-268778120035438/source", "state": "file", "uid": 0}

TASK [openshift_certificate_expiry : Fail when certs are near or already expired] **********************************************************
Wednesday 23 January 2019  23:44:37 +0100 (0:00:05.373)       0:00:37.784 ***** 
skipping: [adzh-srlp-om01.intern.cube.ch] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [adzh-srlp-om02.intern.cube.ch] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [adzh-srlp-om03.intern.cube.ch] => {"changed": false, "skip_reason": "Conditional result was False"}

PLAY RECAP *********************************************************************************************************************************
adzh-srlp-oin01.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-oin02.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-oin03.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-oin04.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-om01.intern.cube.ch : ok=4    changed=2    unreachable=0    failed=0   
adzh-srlp-om02.intern.cube.ch : ok=2    changed=0    unreachable=0    failed=0   
adzh-srlp-om03.intern.cube.ch : ok=2    changed=0    unreachable=0    failed=0   
adzh-srlp-on01.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-on02.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-on03.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-on04.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-on05.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-on06.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-on07.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   
adzh-srlp-on08.intern.cube.ch : ok=1    changed=0    unreachable=0    failed=1   

Wednesday 23 January 2019  23:44:38 +0100 (0:00:00.561)       0:00:38.346 ***** 
=============================================================================== 
openshift_certificate_expiry : Ensure python dateutil library is present ----------------------------------------------------------- 17.07s
openshift_certificate_expiry : Check cert expirys on host -------------------------------------------------------------------------- 10.12s
openshift_certificate_expiry : Generate results JSON file ---------------------------------------


Expected results:

No unicode errors.


Additional info:

The hosts that succeeded are using certs with no umlaut in the address.
Comment 1 Vadim Rutkovsky 2019-01-29 13:47:56 UTC 
PR with a possible fix - https://github.com/openshift/openshift-ansible/pull/11094
Comment 4 Gaoyun Pei 2019-02-12 03:39:43 UTC 
Could reproduce this bug with previous version openshift-ansible, such as openshift-ansible-3.11.69-1

1. Replace openshift CA file with a certificate with unicode symbols in CN
[root@gpei-preserve-ansible-slave ~]# openssl x509 -in www.test.com.cert.pem -subject -noout
subject= /C=GB/ST=England/O=Alice Ltd/CN=\xC3\x83\xC2\x9C-test

Add openshift_master_ca_certificate={'certfile': '/root/www.test.com.cert.pem', 'keyfile':'/root/www.test.com.key.pem'} in anssible inventory file

Run playbooks/openshift-master/redeploy-openshift-ca.yml


2. After CA file updated, run ansible-playbook -v playbooks/openshift-checks/certificate_expiry/easy-mode.yaml

TASK [openshift_certificate_expiry : Check cert expirys on host] ************************************************************************************************************
fatal: [ec2-3-92-240-125.compute-1.amazonaws.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to ec2-3-92-240-125.compute-1.amazonaws.com closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n  File \"/root/.ansible/tmp/ansible-tmp-1549941562.6-43432922140505/AnsiballZ_openshift_cert_expiry.py\", line 113, in <module>\r\n    _ansiballz_main()\r\n  File \"/root/.ansible/tmp/ansible-tmp-1549941562.6-43432922140505/AnsiballZ_openshift_cert_expiry.py\", line 105, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/root/.ansible/tmp/ansible-tmp-1549941562.6-43432922140505/AnsiballZ_openshift_cert_expiry.py\", line 48, in invoke_module\r\n    imp.load_module('__main__', mod, module, MOD_DESC)\r\n  File \"/tmp/ansible_openshift_cert_expiry_payload_xlcguU/__main__.py\", line 835, in <module>\r\n  File \"/tmp/ansible_openshift_cert_expiry_payload_xlcguU/__main__.py\", line 549, in main\r\n  File \"/tmp/ansible_openshift_cert_expiry_payload_xlcguU/__main__.py\", line 292, in load_and_handle_cert\r\nUnicodeEncodeError: 'ascii' codec can't encode characters in position 0-1: ordinal not in range(128)\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}


With openshift-ansible-3.11.82-1.git.0.f29227a.el7, no such issue, move bug to verified.
Comment 6 errata-xmlrpc 2019-02-20 14:11:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0326