Bug 1881757 - master node could not get ignition file with error "x509: certificate relies on legacy Common Name field"
Summary: master node could not get ignition file with error "x509: certificate relies ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.6.0
Assignee: Abhinav Dahiya
QA Contact: jima
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-23 03:33 UTC by jima
Modified: 2022-09-28 20:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 16:44:05 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
error from vm console (321.54 KB, image/png)
2020-09-23 03:33 UTC, jima
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4210 0 None closed Bug 1881757: tls: set mcs cert common name to not-valid-hostname 2021-02-18 07:27:13 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:44:26 UTC

Description jima 2020-09-23 03:33:08 UTC
Created attachment 1715907 [details]
error from vm console

Description of problem:
Install cluster upi on vsphere with ocp 4.6.0-0.nightly-2020-09-22-200146, rhcos template is 46.82.202009182140-0.

master nodes could not get ignition file and below error is shown in vm console:
x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

According to https://bugzilla.redhat.com/show_bug.cgi?id=1877995#c29, we may need to adjust the SAN of the certificate we generated.

Please see attached screenshot for this error.

Version-Release number of the following components:
4.6.0-0.nightly-2020-09-22-200146

How reproducible:
Always
Steps to Reproduce:
1. Install OCP with rhcos template "46.82.202009182140-0"
2.
3.

Actual results:
Cluster is installed failed.

Expected results:
Cluster is installed successfully

Additional info:

Comment 1 Abhinav Dahiya 2020-09-23 17:59:57 UTC
cat dev/bootstrap.ign | jq -r '.storage.files[] | select(.path == "/opt/openshift/tls/machine-config-server.crt") | .contents.source' | cut -c 38- | base64 -d | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4744838048981034579 (0x41d90d10fa45a653)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU = openshift, CN = root-ca
        Validity
            Not Before: Sep 23 17:48:17 2020 GMT
            Not After : Sep 21 17:48:20 2030 GMT
        Subject: CN = api-int.adahiya-2.installer.gcp.devcluster.openshift.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ef:eb:f4:9a:a4:47:e4:fb:5b:26:01:06:c8:4a:
                    0b:0f:ff:2f:7f:24:b2:bf:3a:19:75:c4:08:a8:1c:
                    b4:8c:b3:47:9b:cc:8c:f5:23:f6:89:0b:23:08:36:
                    68:f6:23:5c:26:e2:3a:54:f1:6c:c5:74:19:78:d1:
                    83:15:a8:65:92:40:49:10:20:30:ec:9b:9f:04:ea:
                    df:60:55:3f:54:46:f7:6e:36:f9:32:c0:09:3c:88:
                    62:31:38:35:e9:f3:50:06:e0:43:9d:1b:e9:1a:a1:
                    cc:b0:c8:8b:dc:d6:2f:9d:e0:49:7f:ac:60:26:5e:
                    11:80:08:26:48:88:ff:7c:f8:b0:1b:38:6e:2f:ba:
                    86:63:f1:ba:79:ef:d9:dd:22:0d:ac:fd:4a:91:7e:
                    be:2b:5e:7b:96:71:0c:e9:52:57:75:55:32:45:bc:
                    5b:fe:6b:ca:e2:d7:9e:ce:9d:60:d3:71:69:41:08:
                    75:96:f2:62:5d:c3:29:e5:1d:51:43:5f:3a:28:0c:
                    53:ea:5a:65:1b:2d:f7:3c:99:60:c8:c5:c4:09:92:
                    04:72:00:90:ba:27:82:63:96:0b:c8:96:ce:b1:19:
                    9e:06:db:f3:5f:7f:94:cd:d6:e8:ff:a0:22:74:8f:
                    fb:53:cd:92:04:2f:07:84:3b:f4:48:e0:09:1c:f4:
                    36:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                D3:A9:B1:48:5C:B3:77:C4:75:69:2C:BB:DA:99:56:91:2F:30:7D:C9
            X509v3 Authority Key Identifier:
                keyid:FD:50:60:CC:3D:49:41:53:DB:21:F5:3E:AD:6E:DC:3A:A5:6E:C2:E7

            X509v3 Subject Alternative Name:
                DNS:api-int.adahiya-2.installer.gcp.devcluster.openshift.com
    Signature Algorithm: sha256WithRSAEncryption
         56:40:91:60:d8:9d:97:f1:91:40:48:60:e9:b4:28:67:42:8a:
         d6:e9:b1:16:a1:89:d9:b5:25:f2:ac:21:93:11:03:2f:1d:d1:
         1d:15:af:aa:54:9f:e6:ac:00:64:3f:b1:d2:d5:f8:8e:dd:91:
         8c:ee:35:5c:18:53:6e:5e:65:76:2b:6c:11:84:c4:56:28:b5:
         e3:8b:4e:f1:33:ff:d8:64:7a:f9:ad:49:69:1b:6f:49:f3:85:
         e3:de:9a:94:aa:a4:2f:3e:74:9b:dc:b7:76:67:3e:97:30:fd:
         fa:a3:57:51:95:fb:7c:4d:f4:e3:d6:ce:24:06:bc:c0:7f:fb:
         a6:c1:52:4f:e9:54:75:a7:25:95:1b:ef:58:57:e8:c9:01:69:
         7d:e6:02:8d:4a:04:06:2e:19:b1:06:90:0c:7a:18:e0:5b:66:
         2e:9b:65:3e:79:3e:f0:7f:20:5b:3e:0d:53:6e:cf:c1:e8:29:
         ce:a8:11:39:4c:0c:ed:2b:ce:e3:2e:0b:be:e1:f1:95:ef:15:
         8b:34:de:9d:01:65:a5:5d:84:d3:23:ad:e9:83:b1:c3:b6:0a:
         23:c7:7b:33:d1:80:c8:b2:12:5f:e1:4e:41:c5:68:9d:df:c5:
         ed:7b:a1:d0:a3:32:f0:a9:04:29:78:38:79:e2:8c:30:03:a8:
         05:8c:d6:14

The certs I tested created by the installer has SANs correctly setup. Can you help by fetching the cert that ignition is server in the cluster where you are seeing the error.?

maybe something like `openssl s_client -connect api-int.adahiya-2.installer.gcp.devcluster.openshift.com:22623`

Comment 2 Colin Walters 2020-09-23 19:16:04 UTC
Right, the fact that this isn't failing across the board implies that there's something either wrong with just vSphere (UPI) or somehow the SANs for *this* particular install are wrong.

Comment 3 Scott Dodson 2020-09-24 19:48:49 UTC
Jinyun,

Can you try to take a look at provide more information on this? We're baffled by why this is happening and would like to make sure we understand the problem before we make any changes.

Comment 6 jima 2020-09-29 05:34:08 UTC
verified on upi on vsphere with ocp 4.6.0-0.nightly-2020-09-28-212756 and rhcos template rhcos-46.82.202009222340-0, installation is successful, so move the bug to VERIFIED.

Comment 9 errata-xmlrpc 2020-10-27 16:44:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.