2211380 – The certificate request for etcd is rejected by FreeIPA CA in TLS-E DCN deployment which prevents deploying DCN with storage

Bug 2211380 - The certificate request for etcd is rejected by FreeIPA CA in TLS-E DCN deployment which prevents deploying DCN with storage

Summary: The certificate request for etcd is rejected by FreeIPA CA in TLS-E DCN deplo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	ansible-tripleo-ipa
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	17.1
Assignee:	Grzegorz Grasza
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-31 10:51 UTC by Marian Krcmarik
Modified:	2023-08-16 01:15 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ansible-tripleo-ipa-0.3.1-1.20230519140957.el9ost
Doc Type:	Known Issue
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-16 01:15:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	884890	None	MERGED	Fix a regression in creating PTR records	2023-06-13 13:50:24 UTC
Red Hat Issue Tracker	OSP-25511	None	None	None	2023-05-31 10:55:16 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:15:52 UTC

Description Marian Krcmarik 2023-05-31 10:51:13 UTC

Description of problem:
On latest d/s compose (RHOS-17.1-RHEL-9-20230525.n.1) the certification request for etcd service in TLS-E deployment of RHOS fails. The etcd is used for Cinder A/A management on a site of Multisite DCN topology. I've been getting CA_REJECTED with error msg: ca-error: Server at https://site-freeipa-0.redhat.local/ipa/json denied our request, giving up: 3009 (invalid 'csr': PTR record for SAN IP (172.25.2.250) does not match A/AAAA records).
The getcert commandline is:
/bin/getcert request -N CN=dcn1-computehci-0.internalapi.redhat.local -c IPA -w -k /etc/pki/tls/private/etcd.key -f /etc/pki/tls/certs/etcd.crt -D dcn1-computehci-0.internalapi.redhat.local -D overcloud.internalapi.redhat.local -D '' -A 172.25.2.250 -A '' -E '' -r -g 2048 -K etcd/dcn1-computehci-0.internalapi.redhat.local -K '' -u keyEncipherment -u digitalSignature -U 1.3.6.1.5.5.7.3.1 -U 1.3.6.1.5.5.7.3.2 -U '' -B '' -C /etc/certmonger/post-scripts/etcd-1185323.sh (The cert requires SAN IP because afaik etcd uses directly the IP for establishing connections)

The PTR record for 172.25.2.250 looks like:
# ipa dnsrecord-show
Record name: 250
Zone name: 2.25.172.in-addr.arpa.
  Record name: 250
  PTR record: dcn1-computehci-0.redhat.local, dcn1-computehci-0.internalapi.redhat.local

If I changed it to:
  Record name: 250
  PTR record: dcn1-computehci-0.internalapi.redhat.local
Then the cert request is successful.

The recent changes/refactor from https://review.opendev.org/c/x/tripleo-ipa/+/880721 might changed the behavior. It may make no sense to have multiple PTR records for a single IP

Version-Release number of selected component (if applicable):
ansible-tripleo-ipsec-11.0.1-1.20220727105329.b5559c8.el9ost.noarch
ansible-tripleo-ipa-0.3.1-1.20230519140956.d172570.el9ost.noarch
ansible-role-tripleo-modify-image-1.5.1-1.20230211112201.b6eedb6.el9ost.noarch
puppet-tripleo-14.2.3-1.20230517011016.20a162c.el9ost.noarch
python3-tripleo-common-15.4.1-1.20230518211050.cbb03c0.el9ost.noarch
tripleo-ansible-3.3.1-1.20230518201531.358f3c3.el9ost.noarch
openstack-tripleo-validations-14.3.2-1.20230421031001.c768acb.el9ost.noarch
openstack-tripleo-common-containers-15.4.1-1.20230518211050.cbb03c0.el9ost.noarch
openstack-tripleo-common-15.4.1-1.20230518211050.cbb03c0.el9ost.noarch
openstack-tripleo-heat-templates-14.3.1-1.20230519151004.f602c2b.el9ost.noarch
python3-tripleoclient-16.5.1-1.20230505010953.534fe49.el9ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. The setup requires Cinder A/A which is used in DCN topology for deploying Cinder on a DCN site which is managed by etcd.

Actual results:
status: CA_REJECTED
	ca-error: Server at https://site-freeipa-0.redhat.local/ipa/json denied our request, giving up: 3009 (invalid 'csr': PTR record for SAN IP (172.25.2.250) does not match A/AAAA records).

Expected results:
Successful cert creation and DCN site deployment with Cinder A/A managed by etcd

Additional info:

Comment 18 errata-xmlrpc 2023-08-16 01:15:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Note You need to log in before you can comment on or make changes to this bug.