Description of problem: Running openstack overcloud upgrade run -y --stack overcloud --limit compute-0-ffu. Version-Release number of selected component (if applicable): OSP13 rhel-8.2+ osp16.1 How reproducible: Everytime Steps to Reproduce: 1. openstack overcloud upgrade run -y --stack overcloud --limit compute-0-ffu Actual results: The command fails Expected results: The command succeeds. Additional info: Nov 17 08:37:57 compute-0-ffu certmonger[38078]: Certificate in file "/etc/pki/libvirt-vnc/server-cert.pem" issued by CA and saved. Nov 17 08:37:57 compute-0-ffu puppet-user[37753]: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/Certmonger_certificate[qemu-nbd-client-cert]/ensure: created Nov 17 08:37:57 compute-0-ffu ansible-async_wrapper.py[37731]: 37732 still running (3590) Nov 17 08:37:58 compute-0-ffu certmonger[2544]: Submitting request to "https://freeipa.nodel8.local/ipa/xml". Nov 17 08:37:59 compute-0-ffu certmonger[2544]: Fault 2100: (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=qemu/compute-0-ffu.internalapi.nodel8.local,cn=services,cn=accounts,dc=nodel8,dc=local'.). Nov 17 08:37:59 compute-0-ffu certmonger[2544]: 2020-11-17 08:37:59 [2544] Server at https://freeipa.nodel8.local/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=qemu/compute-0-ffu.internalapi.nodel8.local,cn=services,cn=accounts,dc=nodel8,dc=local'.). Nov 17 08:37:59 compute-0-ffu certmonger[38098]: Request for certificate to be stored in file "/etc/pki/libvirt-nbd/client-cert.pem" rejected by CA. Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I qemu-nbd-client-cert -f /etc/pki/libvirt-nbd/client-cert.pem -c IPA -N CN=compute-0-ffu.internalapi.nodel8.local -K qemu/compute-0-ffu.internalapi.nodel8.local -D compute-0-ffu.internalapi.nodel8.local -w -k /etc/pki/libvirt-nbd/client-key.pem -F /etc/pki/CA/certs/qemu.pem' returned 2: New signing request "qemu-nbd-client-cert" added. Nov 17 08:37:59 compute-0-ffu kernel: IPv4: martian source 10.204.221.142 from 10.204.221.131, on dev eno2 Nov 17 08:37:59 compute-0-ffu kernel: ll header: 00000000: ff ff ff ff ff ff 0c c4 7a 32 09 f8 08 06 ........z2.... Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/Certmonger_certificate[qemu-nbd-client-cert]: Could not evaluate: Could not get certificate: Server at https://freeipa.nodel8.local/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=qemu/compute-0-ffu.internalapi.nodel8.local,cn=services,cn=accounts,dc=nodel8,dc=local'.). Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/File[/etc/pki/libvirt-nbd/client-cert.pem]: Dependency Certmonger_certificate[qemu-nbd-client-cert] has failures: true Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/File[/etc/pki/libvirt-nbd/client-cert.pem]: Skipping because of failed dependencies Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-nbd-client-cert]/File[/etc/pki/libvirt-nbd/client-key.pem]: Skipping because of failed dependencies Nov 17 08:37:59 compute-0-ffu puppet-user[37753]: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Qemu[qemu-server-cert]/Certmonger_certificate[qemu-server-cert]/ensure: created
*** This bug has been marked as a duplicate of bug 1901157 ***