+++ This bug was initially created as a clone of Bug #1769985 +++ Description of problem: openshift/kubecsr repo is the canonical home for etcd cert signer. PR #22 added client usage and was merged upstream and is part of master downstream.[1] [1]: https://github.com/openshift/kubecsr/commit/aad75d333646da657e788db93f2ff75da850b542#diff-654ba8df3be94fe94c9404a7727d1fa2 But this was never backported to the openshift-4.1, openshift-4.2 or openshift-4.3. With etcd 3.3.10 the result is an error message during startup > 2019-11-07 14:18:08.592903 I | embed: rejected connection from "127.0.0.1:32972" (error "tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage", ServerName "") In 3.3.17 we see many more of these errors and the result will be unnecessary bugs and spammy logs. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Backport is complete Additional info:
*** Bug 1805569 has been marked as a duplicate of this bug. ***
Linking the 4.2 backport, while we wait for the Bugzilla bot to get fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2023