+++ This bug was initially created as a clone of Bug #1769985 +++
Description of problem: openshift/kubecsr repo is the canonical home for etcd cert signer. PR #22 added client usage and was merged upstream and is part of master downstream.
But this was never backported to the openshift-4.1, openshift-4.2 or openshift-4.3. With etcd 3.3.10 the result is an error message during startup
> 2019-11-07 14:18:08.592903 I | embed: rejected connection from "127.0.0.1:32972" (error "tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage", ServerName "")
In 3.3.17 we see many more of these errors and the result will be unnecessary bugs and spammy logs.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Expected results: Backport is complete
*** Bug 1805569 has been marked as a duplicate of this bug. ***
Linking the 4.2 backport, while we wait for the Bugzilla bot to get fixed.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.