Closed santoshnt1 closed 1 year ago
@santoshnt1 I can see the status of cluster is running which means all the cluster operators are in Ready
state. what is the output of oc get pods -n openshift-marketplace
?
Hi Praveen, please find the output below
PS C:\Users\skumar2382> oc get pods -n openshift-marketplace
NAME READY STATUS RESTARTS AGE
certified-operators-7mjj2 0/1 ImagePullBackOff 3 27d
certified-operators-sgd2m 0/1 ImagePullBackOff 0 26d
community-operators-8klmh 0/1 ImagePullBackOff 0 26d
community-operators-rjft7 0/1 ImagePullBackOff 3 27d
marketplace-operator-76cc47dfd5-gsb2t 1/1 Running 2 27d
redhat-marketplace-5qft2 0/1 ImagePullBackOff 0 26d
redhat-marketplace-z6kxv 0/1 ImagePullBackOff 3 27d
redhat-operators-r6zjp 0/1 ImagePullBackOff 3 27d
redhat-operators-tbq7w 0/1 ImagePullBackOff 0 26d
Thanks Santosh
Do you need to use a http/https proxy for external network access?
no, no proxy required
Adding pod description it may gives you more info about issue
PS C:\Users\skumar2382> oc describe pod redhat-operators-r6zjp -n openshift-marketplace
Name: redhat-operators-r6zjp
Namespace: openshift-marketplace
Priority: 2000000000
Priority Class Name: system-cluster-critical
Service Account: redhat-operators
Node: crc-ccssl-master-0/192.168.126.11
Start Time: Tue, 20 Jun 2023 06:05:01 +0100
Labels: olm.catalogSource=redhat-operators
olm.pod-spec-hash=7dd4b897fb
Annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: true
k8s.v1.cni.cncf.io/network-status:
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.217.0.51"
],
"default": true,
"dns": {}
}]
openshift.io/scc: restricted-v2
operatorframework.io/managed-by: marketplace-operator
seccomp.security.alpha.kubernetes.io/pod: runtime/default
Status: Running
IP: 10.217.0.51
IPs:
IP: 10.217.0.51
Containers:
registry-server:
Container ID:
Image: registry.redhat.io/redhat/redhat-operator-index:v4.13
Image ID:
Port: 50051/TCP
Host Port: 0/TCP
State: Waiting
Reason: ImagePullBackOff
Last State: Terminated
Reason: ContainerStatusUnknown
Message: The container could not be located when the pod was deleted. The container used to be Running
Exit Code: 137
Started: Mon, 01 Jan 0001 00:00:00 +0000
Finished: Mon, 01 Jan 0001 00:00:00 +0000
Ready: False
Restart Count: 3
Requests:
cpu: 10m
memory: 50Mi
Liveness: exec [grpc_health_probe -addr=:50051] delay=10s timeout=5s period=10s #success=1 #failure=3
Readiness: exec [grpc_health_probe -addr=:50051] delay=5s timeout=5s period=10s #success=1 #failure=3
Startup: exec [grpc_health_probe -addr=:50051] delay=0s timeout=5s period=10s #success=1 #failure=10
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-wzjk5 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-wzjk5:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
ConfigMapName: openshift-service-ca.crt
ConfigMapOptional: <nil>
QoS Class: Burstable
Node-Selectors: kubernetes.io/os=linux
node-role.kubernetes.io/master=
Tolerations: node-role.kubernetes.io/master:NoSchedule op=Exists
node.kubernetes.io/memory-pressure:NoSchedule op=Exists
node.kubernetes.io/not-ready:NoExecute op=Exists for 120s
node.kubernetes.io/unreachable:NoExecute op=Exists for 120s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 28d default-scheduler Successfully assigned openshift-marketplace/redhat-operators-r6zjp to crc-ccssl-master-0
Normal AddedInterface 28d multus Add eth0 [10.217.0.40/23] from openshift-sdn
Normal Pulling 28d kubelet Pulling image "registry.redhat.io/redhat/redhat-operator-index:v4.13"
Normal Pulled 28d kubelet Successfully pulled image "registry.redhat.io/redhat/redhat-operator-index:v4.13" in 28.092328789s (28.092343535s including waiting)
Normal Created 28d kubelet Created container registry-server
Normal Started 28d kubelet Started container registry-server
Warning NodeNotReady 27d node-controller Node is not ready
Normal AddedInterface 27d multus Add eth0 [10.217.0.17/23] from openshift-sdn
Normal Pulling 27d kubelet Pulling image "registry.redhat.io/redhat/redhat-operator-index:v4.13"
Normal Pulled 27d kubelet Successfully pulled image "registry.redhat.io/redhat/redhat-operator-index:v4.13" in 1.010731458s (1.010751857s including waiting)
Normal Created 27d kubelet Created container registry-server
Normal Started 27d kubelet Started container registry-server
Normal AddedInterface 27d multus Add eth0 [10.217.0.10/23] from openshift-sdn
Normal Pulling 27d kubelet Pulling image "registry.redhat.io/redhat/redhat-operator-index:v4.13"
Normal Pulled 27d kubelet Successfully pulled image "registry.redhat.io/redhat/redhat-operator-index:v4.13" in 907.556869ms (907.566931ms including waiting)
Normal Created 27d kubelet Created container registry-server
Normal Started 27d kubelet Started container registry-server
Warning NodeNotReady 27d node-controller Node is not ready
Normal AddedInterface 42m multus Add eth0 [10.217.0.32/23] from openshift-sdn
Warning Failed 40m (x6 over 42m) kubelet Error: ImagePullBackOff
Warning Failed 40m (x4 over 42m) kubelet Error: ErrImagePull
Warning Failed 40m (x4 over 42m) kubelet Failed to pull image "registry.redhat.io/redhat/redhat-operator-index:v4.13": rpc error: code = Unknown desc = pinging container registry registry.redhat.io: Get "https://registry.redhat.io/v2/": x509: certificate signed by unknown authority
Normal Pulling 40m (x4 over 42m) kubelet Pulling image "registry.redhat.io/redhat/redhat-operator-index:v4.13"
Normal BackOff 31m (x47 over 42m) kubelet Back-off pulling image "registry.redhat.io/redhat/redhat-operator-index:v4.13"
Normal AddedInterface 25m multus Add eth0 [10.217.0.51/23] from openshift-sdn
Warning Failed 23m (x4 over 25m) kubelet Failed to pull image "registry.redhat.io/redhat/redhat-operator-index:v4.13": rpc error: code = Unknown desc = pinging container registry registry.redhat.io: Get "https://registry.redhat.io/v2/": x509: certificate signed by unknown authority
Warning Failed 23m (x4 over 25m) kubelet Error: ErrImagePull
Warning Failed 23m (x6 over 25m) kubelet Error: ImagePullBackOff
Normal Pulling 9m24s (x8 over 25m) kubelet Pulling image "registry.redhat.io/redhat/redhat-operator-index:v4.13"
Normal BackOff 4m31s (x90 over 25m) kubelet Back-off pulling image "registry.redhat.io/redhat/redhat-operator-index:v4.13"
Get "https://registry.redhat.io/v2/": x509: certificate signed by unknown authority
Warning Failed 23m (x4 over 25m) kubelet Error: ErrImagePull
is definitely problematic, but I don't know why this would be happening.
@santoshnt1 can you run openssl s_client -connect registry.redhat.io:443
on your host and also in the VM ( you can access the VM using https://github.com/crc-org/crc/wiki/Debugging-guide ) because this seems to like a proxy in place without your knowledge.
HI Praveen, please find the output below : From Host
ED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
verify return:1
---
Certificate chain
0 s:C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 15 09:25:06 2023 GMT; NotAfter: Jul 29 09:25:06 2023 GMT
1 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 15 09:25:06 2023 GMT; NotAfter: Jul 29 09:25:06 2023 GMT
2 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
i:C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 5 05:32:44 2020 GMT; NotAfter: Jun 23 05:32:44 2041 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE0jCCA7qgAwIBAgIQbb7//wHIvH+E0erm7PFd5zANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMT0wOwYDVQQDDDRac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2NhbGVydGhyZWUubmV0KSAodCkg
MB4XDTIzMDcxNTA5MjUwNloXDTIzMDcyOTA5MjUwNlowbTELMAkGA1UEBhMCVVMx
FzAVBgNVB-bash: [core@crc-ccssl-master-0: command not found
AgTDk[user@GB-5CG30917V4 skumar2382]$ CONNECTED(00000003)
-bash: syntax error near unexpected token `00000003'
[user@GB-5CG30917V4 skumar2382]$ depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
-bash: syntax error near unexpected token `('
[user@GB-5CG30917V4 skumar2382]$ verify error:num=20:unable to get local issuer certificate
ENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD
VQQKEw1SZWQgSGF0LCBJbmMuMRswGQYDVQQDExJyZWdpc3RyeS5yZWRoYXQuaW8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6tc6RnE3qF7dWVFhgB/1Z
Az2CBYpF1ZF25Ju82TCqh/2A+JtTBmDVs+6y4wBCLqTS/bUK1OJlPrMadJoBc/yl
3L6O1dpit3hZmLOH3LMmmozF5NCsnRJrbPFuaIpKd473fe8Z0fCyO3JVTiLsJpol
Xe2+YMYiF3Hol09DVYJQ/pfk1jr1mMYTLa2hr2l6qwHk7O7Wcq1QUgAZxoneRcrB
S4IADRLO96UM7nM6rfF/dtBL8MWFVyK2BkyvZGALvXwk5P/MO3XGoU1rfrFxuXwu
sWBPidBnD4n+mJLVyC0e6hZn80edogOdHEjhGA9R08UKrnlv37Z+ri2poQFS1L9j
AgMBAAGjggFJMIIBRTCBvwYDVR0RBIG3MIG0ghJyZWdpc3RyeS5yZWRoYXQuaW+C
E3JlZ2lzdHJ5Ni5yZWRoYXQuaW+CHHJlZ2lzdHJ5Ni5jb25uZWN0LnJlZGhhdC5j
b22CG3JlZ2lzdHJ5Ni5hY2Nlc3MucmVkaGF0LmNvbYIbcmVnaXN0cnkuY29ubmVj
dC5yZWRoYXQuY29tghpyZWdpc3RyeS5hY2Nlc3MucmVkaGF0LmNvbYIVYWNjZXNz
LmNkbi5yZWRoYXQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRw
Oi8vZ2F0ZXdheS56c2NhbGVydGhyZWUubmV0L3pzY2FsZXItenNjcmwtLTQtMS5j
cmwwDQYJKoZIhvcNAQELBQADggEBAHjHYL/F4WwkCWTzDgbvV8egx4WSauEU3gyF
pz++BXDsKYhGTWYz9qk/VowLFmpo9dc6lI9WvT6RmdOvinqRmZSif4rLs/016YEc
NevjDqTcKMExBJ0KUMYSzAqxPvdCqMLBeT1hzvtIYXGDTB34wKxUiUoRZhb/dit/
Us3fWpOFK/KC3kV9Fhgo2WyDhe1zTeozE5rZo+gUckEdzLbwwstlKhD2eGD0/a2a
Fa/n4rpnRFx6PNC0bekTfK72RtHLB/+VSRejciXCqZ6d0GfxYt//lQFFxSDvYiIN
LLxl9-bash: verify: command not found
EUh4jn[user@GB-5CG30917V4 skumar2382]$ verify return:1
G1PXPalBrsqjS2pFYvwSkk54KbkWpFsv838h9XFk=
-----END CERTIFICATE-----
subject=C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
issuer=C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4133 bytes and written 757 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
----bash: verify: command not found
[user@GB-5CG30917V4 skumar2382]$ depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
-bash: C: command not found
[user@GB-5CG30917V4 skumar2382]$ verify return:1
-bash: verify: command not found
[user@GB-5CG30917V4 skumar2382]$ depth=0 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
-bash: C: command not found
[user@GB-5CG30917V4 skumar2382]$ verify return:1
-bash: verify: command not found
[user@GB-5CG30917V4 skumar2382]$ ---
-bash: ---: command not found
[user@GB-5CG30917V4 skumar2382]$ Certificate chain
-bash: Certificate: command not found
[user@GB-5CG30917V4 skumar2382]$ 0 s:C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
-bash: 0: command not found
[user@GB-5CG30917V4 skumar2382]$ i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
-bash: i:C: command not found
[user@GB-5CG30917V4 skumar2382]$ a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
-bash: syntax error near unexpected token `('
[user@GB-5CG30917V4 skumar2382]$ v:NotBefore: Jul 15 09:25:06 2023 GMT; NotAfter: Jul 29 09:25:06 2023 GMT
-bash: v:NotBefore:: command not found
-bash: NotAfter:: command not found
[user@GB-5CG30917V4 skumar2382]$ 1 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
-bash: 1: command not found
[user@GB-5CG30917V4 skumar2382]$ i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
-bash: syntax error near unexpected token `('
[user@GB-5CG30917V4 skumar2382]$ a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
-bash: syntax error near unexpected token `('
[user@GB-5CG30917V4 skumar2382]$ v:NotBefore: Jul 15 09:25:06 2023 GMT; NotAfter: Jul 29 09:25:06 2023 GMT
-bash: v:NotBefore:: command not found
-bash: NotAfter:: command not found
[user@GB-5CG30917V4 skumar2382]$ 2 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
-bash: syntax error near unexpected token `('
[user@GB-5CG30917V4 skumar2382]$ i:C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
-bash: i:C: command not found
[user@GB-5CG30917V4 skumar2382]$ a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
-bash: syntax error near unexpected token `('
[user@GB-5CG30917V4 skumar2382]$ v:NotBefore: Jun 5 05:32:44 2020 GMT; NotAfter: Jun 23 05:32:44 2041 GMT
-bash: v:NotBefore:: command not found
-bash: NotAfter:: command not found
[user@GB-5CG30917V4 skumar2382]$ ---
-bash: ---: command not found
[user@GB-5CG30917V4 skumar2382]$ Server certificate
-bash: Server: command not found
[user@GB-5CG30917V4 skumar2382]$ -----BEGIN CERTIFICATE-----
-bash: -----BEGIN: command not found
[user@GB-5CG30917V4 skumar2382]$ MIIE0jCCA7qgAwIBAgIQbb7//wHIvH+E0erm7PFd5zANBgkqhkiG9w0BAQsFADCB
-bash: MIIE0jCCA7qgAwIBAgIQbb7//wHIvH+E0erm7PFd5zANBgkqhkiG9w0BAQsFADCB: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ jzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
-bash: jzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz: command not found
[user@GB-5CG30917V4 skumar2382]$ Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMT0wOwYDVQQDDDRac2Nh
-bash: Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMT0wOwYDVQQDDDRac2Nh: command not found
[user@GB-5CG30917V4 skumar2382]$ bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2NhbGVydGhyZWUubmV0KSAodCkg
-bash: bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2NhbGVydGhyZWUubmV0KSAodCkg: command not found
[user@GB-5CG30917V4 skumar2382]$ MB4XDTIzMDcxNTA5MjUwNloXDTIzMDcyOTA5MjUwNlowbTELMAkGA1UEBhMCVVMx
-bash: MB4XDTIzMDcxNTA5MjUwNloXDTIzMDcyOTA5MjUwNlowbTELMAkGA1UEBhMCVVMx: command not found
[user@GB-5CG30917V4 skumar2382]$ FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD
-bash: FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD: command not found
[user@GB-5CG30917V4 skumar2382]$ VQQKEw1SZWQgSGF0LCBJbmMuMRswGQYDVQQDExJyZWdpc3RyeS5yZWRoYXQuaW8w
-bash: VQQKEw1SZWQgSGF0LCBJbmMuMRswGQYDVQQDExJyZWdpc3RyeS5yZWRoYXQuaW8w: command not found
[user@GB-5CG30917V4 skumar2382]$ ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6tc6RnE3qF7dWVFhgB/1Z
-bash: ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6tc6RnE3qF7dWVFhgB/1Z: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ Az2CBYpF1ZF25Ju82TCqh/2A+JtTBmDVs+6y4wBCLqTS/bUK1OJlPrMadJoBc/yl
-bash: Az2CBYpF1ZF25Ju82TCqh/2A+JtTBmDVs+6y4wBCLqTS/bUK1OJlPrMadJoBc/yl: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ 3L6O1dpit3hZmLOH3LMmmozF5NCsnRJrbPFuaIpKd473fe8Z0fCyO3JVTiLsJpol
-bash: 3L6O1dpit3hZmLOH3LMmmozF5NCsnRJrbPFuaIpKd473fe8Z0fCyO3JVTiLsJpol: command not found
[user@GB-5CG30917V4 skumar2382]$ Xe2+YMYiF3Hol09DVYJQ/pfk1jr1mMYTLa2hr2l6qwHk7O7Wcq1QUgAZxoneRcrB
-bash: Xe2+YMYiF3Hol09DVYJQ/pfk1jr1mMYTLa2hr2l6qwHk7O7Wcq1QUgAZxoneRcrB: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ S4IADRLO96UM7nM6rfF/dtBL8MWFVyK2BkyvZGALvXwk5P/MO3XGoU1rfrFxuXwu
-bash: S4IADRLO96UM7nM6rfF/dtBL8MWFVyK2BkyvZGALvXwk5P/MO3XGoU1rfrFxuXwu: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ sWBPidBnD4n+mJLVyC0e6hZn80edogOdHEjhGA9R08UKrnlv37Z+ri2poQFS1L9j
-bash: sWBPidBnD4n+mJLVyC0e6hZn80edogOdHEjhGA9R08UKrnlv37Z+ri2poQFS1L9j: command not found
[user@GB-5CG30917V4 skumar2382]$ AgMBAAGjggFJMIIBRTCBvwYDVR0RBIG3MIG0ghJyZWdpc3RyeS5yZWRoYXQuaW+C
-bash: AgMBAAGjggFJMIIBRTCBvwYDVR0RBIG3MIG0ghJyZWdpc3RyeS5yZWRoYXQuaW+C: command not found
[user@GB-5CG30917V4 skumar2382]$ E3JlZ2lzdHJ5Ni5yZWRoYXQuaW+CHHJlZ2lzdHJ5Ni5jb25uZWN0LnJlZGhhdC5j
-bash: E3JlZ2lzdHJ5Ni5yZWRoYXQuaW+CHHJlZ2lzdHJ5Ni5jb25uZWN0LnJlZGhhdC5j: command not found
[user@GB-5CG30917V4 skumar2382]$ b22CG3JlZ2lzdHJ5Ni5hY2Nlc3MucmVkaGF0LmNvbYIbcmVnaXN0cnkuY29ubmVj
-bash: b22CG3JlZ2lzdHJ5Ni5hY2Nlc3MucmVkaGF0LmNvbYIbcmVnaXN0cnkuY29ubmVj: command not found
[user@GB-5CG30917V4 skumar2382]$ dC5yZWRoYXQuY29tghpyZWdpc3RyeS5hY2Nlc3MucmVkaGF0LmNvbYIVYWNjZXNz
-bash: dC5yZWRoYXQuY29tghpyZWdpc3RyeS5hY2Nlc3MucmVkaGF0LmNvbYIVYWNjZXNz: command not found
[user@GB-5CG30917V4 skumar2382]$ LmNkbi5yZWRoYXQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
-bash: LmNkbi5yZWRoYXQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ BQcDAQYIKwYBBQUHAwIwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRw
-bash: BQcDAQYIKwYBBQUHAwIwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRw: command not found
[user@GB-5CG30917V4 skumar2382]$ Oi8vZ2F0ZXdheS56c2NhbGVydGhyZWUubmV0L3pzY2FsZXItenNjcmwtLTQtMS5j
-bash: Oi8vZ2F0ZXdheS56c2NhbGVydGhyZWUubmV0L3pzY2FsZXItenNjcmwtLTQtMS5j: command not found
[user@GB-5CG30917V4 skumar2382]$ cmwwDQYJKoZIhvcNAQELBQADggEBAHjHYL/F4WwkCWTzDgbvV8egx4WSauEU3gyF
-bash: cmwwDQYJKoZIhvcNAQELBQADggEBAHjHYL/F4WwkCWTzDgbvV8egx4WSauEU3gyF: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ pz++BXDsKYhGTWYz9qk/VowLFmpo9dc6lI9WvT6RmdOvinqRmZSif4rLs/016YEc
-bash: pz++BXDsKYhGTWYz9qk/VowLFmpo9dc6lI9WvT6RmdOvinqRmZSif4rLs/016YEc: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ NevjDqTcKMExBJ0KUMYSzAqxPvdCqMLBeT1hzvtIYXGDTB34wKxUiUoRZhb/dit/
-bash: NevjDqTcKMExBJ0KUMYSzAqxPvdCqMLBeT1hzvtIYXGDTB34wKxUiUoRZhb/dit/: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ Us3fWpOFK/KC3kV9Fhgo2WyDhe1zTeozE5rZo+gUckEdzLbwwstlKhD2eGD0/a2a
-bash: Us3fWpOFK/KC3kV9Fhgo2WyDhe1zTeozE5rZo+gUckEdzLbwwstlKhD2eGD0/a2a: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ Fa/n4rpnRFx6PNC0bekTfK72RtHLB/+VSRejciXCqZ6d0GfxYt//lQFFxSDvYiIN
-bash: Fa/n4rpnRFx6PNC0bekTfK72RtHLB/+VSRejciXCqZ6d0GfxYt//lQFFxSDvYiIN: No such file or directory
[user@GB-5CG30917V4 skumar2382]$ LLxl9EUh4jnG1PXPalBrsqjS2pFYvwSkk54KbkWpFsv838h9XFk=
[user@GB-5CG30917V4 skumar2382]$ -----END CERTIFICATE-----
-bash: -----END: command not found
[user@GB-5CG30917V4 skumar2382]$ subject=C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
-bash: =: command not found
[user@GB-5CG30917V4 skumar2382]$ issuer=C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
-bash: =: command not found
[user@GB-5CG30917V4 skumar2382]$ ---
-bash: ---: command not found
[user@GB-5CG30917V4 skumar2382]$ No client certificate CA names sent
-bash: No: command not found
[user@GB-5CG30917V4 skumar2382]$ Peer signing digest: SHA256
-bash: Peer: command not found
[user@GB-5CG30917V4 skumar2382]$ Peer signature type: RSA-PSS
-bash: Peer: command not found
[user@GB-5CG30917V4 skumar2382]$ Server Temp Key: ECDH, prime256v1, 256 bits
-bash: Server: command not found
[user@GB-5CG30917V4 skumar2382]$ ---
-bash: ---: command not found
[user@GB-5CG30917V4 skumar2382]$ SSL handshake has read 4133 bytes and written 757 bytes
-bash: SSL: command not found
[user@GB-5CG30917V4 skumar2382]$ Verification error: unable to get local issuer certificate
-bash: Verification: command not found
[user@GB-5CG30917V4 skumar2382]$ ---
-bash: ---: command not found
[user@GB-5CG30917V4 skumar2382]$ New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
-bash: New,: command not found
[user@GB-5CG30917V4 skumar2382]$ Server public key is 2048 bit
-bash: Server: command not found
[user@GB-5CG30917V4 skumar2382]$ Secure Renegotiation IS NOT supported
-bash: Secure: command not found
[user@GB-5CG30917V4 skumar2382]$ Compression: NONE
-bash: Compression:: command not found
[user@GB-5CG30917V4 skumar2382]$ Expansion: NONE
-bash: Expansion:: command not found
[user@GB-5CG30917V4 skumar2382]$ No ALPN negotiated
-bash: No: command not found
[user@GB-5CG30917V4 skumar2382]$ Early data was not sent
-bash: Early: command not found
[user@GB-5CG30917V4 skumar2382]$ Verify return code: 20 (unable to get local issuer certificate)
-bash: syntax error near unexpected token `('
from VM
[core@crc-ccssl-master-0 ~]$ openssl s_client -connect registry.redhat.io:443
CONNECTED(00000003)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
verify return:1
---
Certificate chain
0 s:C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 15 09:25:06 2023 GMT; NotAfter: Jul 29 09:25:06 2023 GMT
1 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
i:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 15 09:25:06 2023 GMT; NotAfter: Jul 29 09:25:06 2023 GMT
2 s:C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscalerthree.net), emailAddress = support@zscaler.com
i:C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 5 05:32:44 2020 GMT; NotAfter: Jun 23 05:32:44 2041 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE0jCCA7qgAwIBAgIQbb7//wHIvH+E0erm7PFd5zANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDFpz
Y2FsZXIgSW5jLjEVMBMGA1UECwwMWnNjYWxlciBJbmMuMT0wOwYDVQQDDDRac2Nh
bGVyIEludGVybWVkaWF0ZSBSb290IENBICh6c2NhbGVydGhyZWUubmV0KSAodCkg
MB4XDTIzMDcxNTA5MjUwNloXDTIzMDcyOTA5MjUwNlowbTELMAkGA1UEBhMCVVMx
FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD
VQQKEw1SZWQgSGF0LCBJbmMuMRswGQYDVQQDExJyZWdpc3RyeS5yZWRoYXQuaW8w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6tc6RnE3qF7dWVFhgB/1Z
Az2CBYpF1ZF25Ju82TCqh/2A+JtTBmDVs+6y4wBCLqTS/bUK1OJlPrMadJoBc/yl
3L6O1dpit3hZmLOH3LMmmozF5NCsnRJrbPFuaIpKd473fe8Z0fCyO3JVTiLsJpol
Xe2+YMYiF3Hol09DVYJQ/pfk1jr1mMYTLa2hr2l6qwHk7O7Wcq1QUgAZxoneRcrB
S4IADRLO96UM7nM6rfF/dtBL8MWFVyK2BkyvZGALvXwk5P/MO3XGoU1rfrFxuXwu
sWBPidBnD4n+mJLVyC0e6hZn80edogOdHEjhGA9R08UKrnlv37Z+ri2poQFS1L9j
AgMBAAGjggFJMIIBRTCBvwYDVR0RBIG3MIG0ghJyZWdpc3RyeS5yZWRoYXQuaW+C
E3JlZ2lzdHJ5Ni5yZWRoYXQuaW+CHHJlZ2lzdHJ5Ni5jb25uZWN0LnJlZGhhdC5j
b22CG3JlZ2lzdHJ5Ni5hY2Nlc3MucmVkaGF0LmNvbYIbcmVnaXN0cnkuY29ubmVj
dC5yZWRoYXQuY29tghpyZWdpc3RyeS5hY2Nlc3MucmVkaGF0LmNvbYIVYWNjZXNz
LmNkbi5yZWRoYXQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwCQYDVR0TBAIwADBHBgNVHR8EQDA+MDygOqA4hjZodHRw
Oi8vZ2F0ZXdheS56c2NhbGVydGhyZWUubmV0L3pzY2FsZXItenNjcmwtLTQtMS5j
cmwwDQYJKoZIhvcNAQELBQADggEBAHjHYL/F4WwkCWTzDgbvV8egx4WSauEU3gyF
pz++BXDsKYhGTWYz9qk/VowLFmpo9dc6lI9WvT6RmdOvinqRmZSif4rLs/016YEc
NevjDqTcKMExBJ0KUMYSzAqxPvdCqMLBeT1hzvtIYXGDTB34wKxUiUoRZhb/dit/
Us3fWpOFK/KC3kV9Fhgo2WyDhe1zTeozE5rZo+gUckEdzLbwwstlKhD2eGD0/a2a
Fa/n4rpnRFx6PNC0bekTfK72RtHLB/+VSRejciXCqZ6d0GfxYt//lQFFxSDvYiIN
LLxl9EUh4jnG1PXPalBrsqjS2pFYvwSkk54KbkWpFsv838h9XFk=
-----END CERTIFICATE-----
subject=C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", CN = registry.redhat.io
issuer=C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4133 bytes and written 757 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
This looks like you are using proxy or behind VPN and the connection is using the proxy. To me the issuer is DigCert
and that is without proxy but for you it is CN = "Zscaler Intermediate Root CA (zscalerthree.net) (t) "
. May be you need to check with admin and set the proxy for crc also.
$ openssl s_client -connect registry.redhat.io:443 2>/dev/null </dev/null | grep -i issuer
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
Something like https://help.zscaler.com/zia/choosing-ca-certificate-ssl-inspection is probably enabled on your network.
Thanks for the help, I will try to find the Zscaler proxy and add it in crc config and check if it works Regards Santosh
Maybe it's enough to follow these steps to add the required CA to your cluster once it's running https://docs.openshift.com/container-platform/4.10/security/certificates/updating-ca-bundle.html
@santoshnt1 did it fix for you after applying the proxy stuff? Can we close it?
Hi Praveen,
Yes after applying Christophe Fergeau solution it is working now . Thanks for your help. Best regards Santosh Kumar
General information
crc setup
before starting it (Yes/No)? - yesCRC version
CRC status
CRC config
Please consider posting the output of
crc start --log-level debug
on http://gist.github.com/ and post the link in the issue.