Bug 1805182 - openshift-apiserver degraded due to expired certificate errors
Summary: openshift-apiserver degraded due to expired certificate errors
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: openshift-apiserver
Version: 4.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.4.0
Assignee: Lukasz Szaszkiewicz
QA Contact: Xingxing Xia
URL:
Whiteboard:
: 1807473 (view as bug list)
Depends On: 1809944
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-20 12:59 UTC by Samuel Padgett
Modified: 2020-05-13 21:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1809944 (view as bug list)
Environment:
Version: 4.4.0-0.ci-2020-02-18-125517 Cluster ID: f838b3e0-b021-45ad-9081-c4939ef384cb Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0
Last Closed: 2020-05-13 21:59:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
oc get clusteroperators output (3.49 KB, text/plain)
2020-02-20 12:59 UTC, Samuel Padgett 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 24621 0 None closed Bug 1805182: openshift-apiserver degraded due to expired certificate errors 2021-02-19 06:12:44 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-13 21:59:38 UTC

Description Samuel Padgett 2020-02-20 12:59:52 UTC 
Created attachment 1664358 [details]
oc get clusteroperators output

Several operators began reporting degraded (see attached list). The OAuth server showed this error during login:

"The authorization server encountered an unexpected condition that prevented it from fulfilling the request."

I see certificate errors in the logs.

OAuth server had this in its logs:

I0219 21:28:39.992996       1 log.go:172] http: TLS handshake error from 10.128.2.7:49138: remote error: tls: bad certificate
E0219 21:28:40.073478       1 osinserver.go:91] internal error: the server is currently unable to handle the request (get oauthclients.oauth.openshift.io openshift-challenging-client)
E0219 21:30:58.108101       1 osinserver.go:91] internal error: the server is currently unable to handle the request (get oauthclients.oauth.openshift.io console)

OpenShift API server had this in its logs:

E0219 21:29:18.738704       1 authentication.go:104] Unable to authenticate the request due to an error: x509: certificate has expired or is not yet valid
Comment 3 Stefan Schimanski 2020-02-27 14:31:15 UTC 
*** Bug 1807473 has been marked as a duplicate of this bug. ***
Comment 6 Xingxing Xia 2020-03-09 11:37:16 UTC 
Verified using steps of bug 1809944#c6 in 4.4.0-0.nightly-2020-03-08-235004 env.
Comment 8 errata-xmlrpc 2020-05-13 21:59:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581
Note You need to log in before you can comment on or make changes to this bug.