This is a clone of Bug #1831760. This is the description of that bug: Description of problem: Azure Loadbalancer is not accepting api server certificates for HTTPS probes. Loadbalancer considers certificate invalid: Error from the azure side (not visible for normal users): WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CERT Based on the https://tools.ietf.org/html/rfc3280#section-4.2.1.1 and https://tools.ietf.org/html/rfc3280#section-4.2.1.2 we are using SubjectKeyID and AuthorityKeyId not as per specification. Current certificate configuration: CA: ``` ... CA:TRUE X509v3 Subject Key Identifier: 81:11:91:F6:17:0F:F7:1E:B0:E3:CB:72:22:FC:17:03:FD:C7:82:C8 ... ``` Certificate: ``` ... X509v3 Subject Key Identifier: 81:11:91:F6:17:0F:F7:1E:B0:E3:CB:72:22:FC:17:03:FD:C7:82:C8 X509v3 Authority Key Identifier: keyid:81:11:91:F6:17:0F:F7:1E:B0:E3:CB:72:22:FC:17:03:FD:C7:82:C8 ... ``` Those fields should not be the same for a signed certificate. Both fields being equal in a signed certificate is considered an invalid configuration. How reproduce: 1. Create 2 azure VMs (we need 2 VMs as azure do not allows "same leg recursive calls via loadbalancer) and Internal LoadBalancer, vnet. 2. Add HTTPS probe, load-balancing rules, for port 8443 3. SSH into VM1 and run script: https://gist.github.com/mjudeikis/4c0fc47552897bf13e82414b7d8a9f28 4. SSH into VM2 and try reaching VM1 via NODE IP (curl https://ip:8443/readyz -Ik). This should work. 5. Try reaching VM1 via Loadbalancer IP - This should fail. If you run ssldump on VM1: ssldump -i eth0 port 8443 you will see that load-balancer is terminating the connection and never send ClientKeyExchange message. 6. Run the same script but change code behaviour for signed certificates (search for GOODCONFIG in the "gist"). Now calls via LB should work as the certificate is considered valid.
Verified with: ./openshift-install version ./openshift-install unreleased-master-2655-g15eac3785998a5bc250c9f72101a4a9cb767e494-dirty built from commit 15eac3785998a5bc250c9f72101a4a9cb767e494 release image registry.svc.ci.openshift.org/origin/release:4.3 I've downloaded the installer source code and changed both azurerm_lb_probe templates (/data/data/azure/vnet/internal-lb.tf and /data/data/azure/vnet/public-lb.tf) with the following configurations: ~~~ resource "azurerm_lb_probe" "internal_lb_probe_api_internal" { name = "api-internal-probe" resource_group_name = var.resource_group_name interval_in_seconds = 10 number_of_probes = 3 loadbalancer_id = azurerm_lb.internal.id port = 6443 protocol = "HTTPS" request_path = "/readyz" } ~~~ ~~~ resource "azurerm_lb_probe" "public_lb_probe_api_internal" { count = var.private ? 0 : 1 name = "api-internal-probe" resource_group_name = var.resource_group_name interval_in_seconds = 10 number_of_probes = 3 loadbalancer_id = azurerm_lb.public.id port = 6443 protocol = "HTTPS" request_path = "/readyz" } ~~~ I've compiled the `openshift-installer` binary from the release-4.4 branch after those changes with by running `hack/build.sh` ./openshift-install version ./openshift-install unreleased-master-2655-g15eac3785998a5bc250c9f72101a4a9cb767e494-dirty built from commit 15eac3785998a5bc250c9f72101a4a9cb767e494 release image registry.svc.ci.openshift.org/origin/release:4.3 After exporting the release image override, I was able to install the cluster (with the https health check). $ export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE="registry.svc.ci.openshift.org/ocp/release:4.4" $ ./openshift-install create cluster --dir test3 ? SSH Public Key /home/qe/.ssh/id_rsa.pub ? Platform azure INFO Credentials loaded from file "/home/qe/.azure/osServicePrincipal.json" ? Region centralus ? Base Domain openshift.com ? Cluster Name qe ? Pull Secret [? for help] *********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************WARNING Found override for release image. Please be warned, this is not advised INFO Creating infrastructure resources... INFO Waiting up to 20m0s for the Kubernetes API at https://api.qe.openshift.com:6443... INFO API v1.17.1 up INFO Waiting up to 40m0s for bootstrapping to complete... INFO Destroying the bootstrap resources... INFO Waiting up to 30m0s for the cluster at https://api.qe.openshift.com:6443 to initialize... INFO Waiting up to 10m0s for the openshift-console route to be created... INFO Install complete! INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/qe/openshift/auth/kubeconfig' INFO Access the OpenShift web-console here: https://console-openshift-console.apps.qe.openshift.com INFO Login to the console with user: kubeadmin, password: No issue with basic health checks on the cluster.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2180