Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2211380

Summary: The certificate request for etcd is rejected by FreeIPA CA in TLS-E DCN deployment which prevents deploying DCN with storage
Product: Red Hat OpenStack Reporter: Marian Krcmarik <mkrcmari>
Component: ansible-tripleo-ipaAssignee: Grzegorz Grasza <ggrasza>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 17.1 (Wallaby)CC: dwilde, gcharot, ggrasza, jjung, mgarciac, pgrist, pweeks
Target Milestone: gaKeywords: AutomationBlocker, Regression, Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ansible-tripleo-ipa-0.3.1-1.20230519140957.el9ost Doc Type: Known Issue
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 01:15:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marian Krcmarik 2023-05-31 10:51:13 UTC 
Description of problem:
On latest d/s compose (RHOS-17.1-RHEL-9-20230525.n.1) the certification request for etcd service in TLS-E deployment of RHOS fails. The etcd is used for Cinder A/A management on a site of Multisite DCN topology. I've been getting CA_REJECTED with error msg: ca-error: Server at https://site-freeipa-0.redhat.local/ipa/json denied our request, giving up: 3009 (invalid 'csr': PTR record for SAN IP (172.25.2.250) does not match A/AAAA records).
The getcert commandline is:
/bin/getcert request -N CN=dcn1-computehci-0.internalapi.redhat.local -c IPA -w -k /etc/pki/tls/private/etcd.key -f /etc/pki/tls/certs/etcd.crt -D dcn1-computehci-0.internalapi.redhat.local -D overcloud.internalapi.redhat.local -D '' -A 172.25.2.250 -A '' -E '' -r -g 2048 -K etcd/dcn1-computehci-0.internalapi.redhat.local -K '' -u keyEncipherment -u digitalSignature -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C /etc/certmonger/post-scripts/etcd-1185323.sh (The cert requires SAN IP because afaik etcd uses directly the IP for establishing connections)

The PTR record for 172.25.2.250 looks like:
# ipa dnsrecord-show
Record name: 250
Zone name: 2.25.172.in-addr.arpa.
  Record name: 250
  PTR record: dcn1-computehci-0.redhat.local, dcn1-computehci-0.internalapi.redhat.local

If I changed it to:
  Record name: 250
  PTR record: dcn1-computehci-0.internalapi.redhat.local
Then the cert request is successful.

The recent changes/refactor from https://review.opendev.org/c/x/tripleo-ipa/+/880721 might changed the behavior. It may make no sense to have multiple PTR records for a single IP

Version-Release number of selected component (if applicable):
ansible-tripleo-ipsec-11.0.1-1.20220727105329.b5559c8.el9ost.noarch
ansible-tripleo-ipa-0.3.1-1.20230519140956.d172570.el9ost.noarch
ansible-role-tripleo-modify-image-1.5.1-1.20230211112201.b6eedb6.el9ost.noarch
puppet-tripleo-14.2.3-1.20230517011016.20a162c.el9ost.noarch
python3-tripleo-common-15.4.1-1.20230518211050.cbb03c0.el9ost.noarch
tripleo-ansible-3.3.1-1.20230518201531.358f3c3.el9ost.noarch
openstack-tripleo-validations-14.3.2-1.20230421031001.c768acb.el9ost.noarch
openstack-tripleo-common-containers-15.4.1-1.20230518211050.cbb03c0.el9ost.noarch
openstack-tripleo-common-15.4.1-1.20230518211050.cbb03c0.el9ost.noarch
openstack-tripleo-heat-templates-14.3.1-1.20230519151004.f602c2b.el9ost.noarch
python3-tripleoclient-16.5.1-1.20230505010953.534fe49.el9ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. The setup requires Cinder A/A which is used in DCN topology for deploying Cinder on a DCN site which is managed by etcd.

Actual results:
status: CA_REJECTED
	ca-error: Server at https://site-freeipa-0.redhat.local/ipa/json denied our request, giving up: 3009 (invalid 'csr': PTR record for SAN IP (172.25.2.250) does not match A/AAAA records).

Expected results:
Successful cert creation and DCN site deployment with Cinder A/A managed by etcd

Additional info:
Comment 18 errata-xmlrpc 2023-08-16 01:15:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577