Bug 1692408 - failed with: x509: certificate signed by unknown authority
Summary: failed with: x509: certificate signed by unknown authority
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: Hongan Li
URL:
Whiteboard:
: 1692842 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-25 14:28 UTC by Michal Fojtik
Modified: 2019-06-04 10:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:46:25 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:46:33 UTC
Github openshift origin pull 22416 'None' 'closed' 'Temporarily disable RBR until we move it to a CRD' 2019-11-14 20:42:11 UTC

Description Michal Fojtik 2019-03-25 14:28:57 UTC
Description of problem:

I0325 11:05:33.276424       1 status_controller.go:150] clusteroperator/authentication diff {"status":{"conditions":[{"lastTransitionTime":"2019-03-25T11:04:02Z","message":"Failing: x509: certificate signed by unknown authority","reason":"Failing","status":"True","type":"Failing"},{"lastTransitionTime":"2019-03-25T11:04:02Z","reason":"AsExpected","status":"False","type":"Progressing"},{"lastTransitionTime":"2019-03-25T11:03:08Z","reason":"Available","status":"False","type":"Available"},{"lastTransitionTime":"2019-03-25T10:38:52Z","reason":"NoData","status":"Unknown","type":"Upgradeable"}]}}
I0325 11:05:33.290053       1 event.go:221] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"openshift-authentication-operator", UID:"1636fadd-4eea-11e9-958a-029e9341ad66", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for operator authentication changed: Failing message changed from "Failing: dial tcp: lookup openshift-authentication-openshift-authentication.apps.ci-op-8n1f8l1l-ad003.origin-ci-int-aws.dev.rhcloud.com on 172.30.0.10:53: no such host" to "Failing: x509: certificate signed by unknown authority"
E0325 11:05:35.465719       1 controller.go:130] {šŸ¼ šŸ¼} failed with: x509: certificate signed by unknown authority
E0325 11:05:38.776327       1 controller.go:130] {šŸ¼ šŸ¼} failed with: x509: certificate signed by unknown authority

Seen here: https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_cluster-kube-controller-manager-operator/197/pull-ci-openshift-cluster-kube-controller-manager-operator-master-e2e-aws/951

Also the authentication operator is reporting failing:

```authentication                                              Available=False, Failing=True, Progressing=False, Upgradeable=Unknown```

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Standa Laznicka 2019-03-26 16:48:02 UTC
*** Bug 1692842 has been marked as a duplicate of this bug. ***

Comment 3 Standa Laznicka 2019-03-27 15:32:41 UTC
The authn operator fails to become ready as it took 33 minutes for the `router-certs` secret to appear (meaning from the first request authn-operator did to find it till the time it appears and is filled with data). Moving to Routing team for investigation.

Comment 4 Miciah Dashiel Butler Masters 2019-04-03 05:02:30 UTC
Following is the chain of events that resulted in the reported CI failure:

1. The RestrictSubjectBindings admission plug-in failed to get
   rolebindingrestrictions.

2. Consequently, cluster-version-operator failed to create the
   "openshift-ingress-operator/ingress-operator" role binding from
   cluster-ingress-operator's manifest assets.

3. Thus cluster-version-operator did not start cluster-ingress-operator.

4. Thus cluster-ingress-operator failed to create the router-certs secret.

After ~25 minutes, cluster-version-operator succeeded in creating the role
binding, after which point cluster-version-operator started
cluster-ingress-operator, and the latter created the router-certs secret.

https://github.com/openshift/origin/pull/22416 should fix the problem.

Comment 6 Dan Mace 2019-04-03 14:05:59 UTC
Does that mean this bug is mis-categorized? According to Miciah's analysis, the ingress operator did what it was supposed to do.

Comment 7 Weibin Liang 2019-04-03 14:23:06 UTC
Michal,

Because this is test flake, QE can not easily to reproduce and verify it when bug is in ON_QA state

If you will not see the same issue any more, could you update the bug to VERIFIED?

Thank you!

Comment 8 Hongan Li 2019-04-11 07:34:49 UTC
Iā€˜m going to mark it as verified. Please reopen if you hit again.

Comment 10 errata-xmlrpc 2019-06-04 10:46:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.