Created attachment 1715907 [details] error from vm console Description of problem: Install cluster upi on vsphere with ocp 4.6.0-0.nightly-2020-09-22-200146, rhcos template is 46.82.202009182140-0. master nodes could not get ignition file and below error is shown in vm console: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 According to https://bugzilla.redhat.com/show_bug.cgi?id=1877995#c29, we may need to adjust the SAN of the certificate we generated. Please see attached screenshot for this error. Version-Release number of the following components: 4.6.0-0.nightly-2020-09-22-200146 How reproducible: Always Steps to Reproduce: 1. Install OCP with rhcos template "46.82.202009182140-0" 2. 3. Actual results: Cluster is installed failed. Expected results: Cluster is installed successfully Additional info:
cat dev/bootstrap.ign | jq -r '.storage.files[] | select(.path == "/opt/openshift/tls/machine-config-server.crt") | .contents.source' | cut -c 38- | base64 -d | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4744838048981034579 (0x41d90d10fa45a653) Signature Algorithm: sha256WithRSAEncryption Issuer: OU = openshift, CN = root-ca Validity Not Before: Sep 23 17:48:17 2020 GMT Not After : Sep 21 17:48:20 2030 GMT Subject: CN = api-int.adahiya-2.installer.gcp.devcluster.openshift.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ef:eb:f4:9a:a4:47:e4:fb:5b:26:01:06:c8:4a: 0b:0f:ff:2f:7f:24:b2:bf:3a:19:75:c4:08:a8:1c: b4:8c:b3:47:9b:cc:8c:f5:23:f6:89:0b:23:08:36: 68:f6:23:5c:26:e2:3a:54:f1:6c:c5:74:19:78:d1: 83:15:a8:65:92:40:49:10:20:30:ec:9b:9f:04:ea: df:60:55:3f:54:46:f7:6e:36:f9:32:c0:09:3c:88: 62:31:38:35:e9:f3:50:06:e0:43:9d:1b:e9:1a:a1: cc:b0:c8:8b:dc:d6:2f:9d:e0:49:7f:ac:60:26:5e: 11:80:08:26:48:88:ff:7c:f8:b0:1b:38:6e:2f:ba: 86:63:f1:ba:79:ef:d9:dd:22:0d:ac:fd:4a:91:7e: be:2b:5e:7b:96:71:0c:e9:52:57:75:55:32:45:bc: 5b:fe:6b:ca:e2:d7:9e:ce:9d:60:d3:71:69:41:08: 75:96:f2:62:5d:c3:29:e5:1d:51:43:5f:3a:28:0c: 53:ea:5a:65:1b:2d:f7:3c:99:60:c8:c5:c4:09:92: 04:72:00:90:ba:27:82:63:96:0b:c8:96:ce:b1:19: 9e:06:db:f3:5f:7f:94:cd:d6:e8:ff:a0:22:74:8f: fb:53:cd:92:04:2f:07:84:3b:f4:48:e0:09:1c:f4: 36:17 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: D3:A9:B1:48:5C:B3:77:C4:75:69:2C:BB:DA:99:56:91:2F:30:7D:C9 X509v3 Authority Key Identifier: keyid:FD:50:60:CC:3D:49:41:53:DB:21:F5:3E:AD:6E:DC:3A:A5:6E:C2:E7 X509v3 Subject Alternative Name: DNS:api-int.adahiya-2.installer.gcp.devcluster.openshift.com Signature Algorithm: sha256WithRSAEncryption 56:40:91:60:d8:9d:97:f1:91:40:48:60:e9:b4:28:67:42:8a: d6:e9:b1:16:a1:89:d9:b5:25:f2:ac:21:93:11:03:2f:1d:d1: 1d:15:af:aa:54:9f:e6:ac:00:64:3f:b1:d2:d5:f8:8e:dd:91: 8c:ee:35:5c:18:53:6e:5e:65:76:2b:6c:11:84:c4:56:28:b5: e3:8b:4e:f1:33:ff:d8:64:7a:f9:ad:49:69:1b:6f:49:f3:85: e3:de:9a:94:aa:a4:2f:3e:74:9b:dc:b7:76:67:3e:97:30:fd: fa:a3:57:51:95:fb:7c:4d:f4:e3:d6:ce:24:06:bc:c0:7f:fb: a6:c1:52:4f:e9:54:75:a7:25:95:1b:ef:58:57:e8:c9:01:69: 7d:e6:02:8d:4a:04:06:2e:19:b1:06:90:0c:7a:18:e0:5b:66: 2e:9b:65:3e:79:3e:f0:7f:20:5b:3e:0d:53:6e:cf:c1:e8:29: ce:a8:11:39:4c:0c:ed:2b:ce:e3:2e:0b:be:e1:f1:95:ef:15: 8b:34:de:9d:01:65:a5:5d:84:d3:23:ad:e9:83:b1:c3:b6:0a: 23:c7:7b:33:d1:80:c8:b2:12:5f:e1:4e:41:c5:68:9d:df:c5: ed:7b:a1:d0:a3:32:f0:a9:04:29:78:38:79:e2:8c:30:03:a8: 05:8c:d6:14 The certs I tested created by the installer has SANs correctly setup. Can you help by fetching the cert that ignition is server in the cluster where you are seeing the error.? maybe something like `openssl s_client -connect api-int.adahiya-2.installer.gcp.devcluster.openshift.com:22623`
Right, the fact that this isn't failing across the board implies that there's something either wrong with just vSphere (UPI) or somehow the SANs for *this* particular install are wrong.
Jinyun, Can you try to take a look at provide more information on this? We're baffled by why this is happening and would like to make sure we understand the problem before we make any changes.
verified on upi on vsphere with ocp 4.6.0-0.nightly-2020-09-28-212756 and rhcos template rhcos-46.82.202009222340-0, installation is successful, so move the bug to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196