[bare-metal okd 4.4] ignition[483]: Get Error: x509: certificate signed by unknown authority

[kcns008]

I followed the above article (https://medium.com/@craig_robinson/openshift-4-4-okd-bare-metal-install-on-vmware-home-lab-6841ce2d37eb ) and while booting - master and worker getting following error of cert - I can see a solution at https://access.redhat.com/solutions/4271572 but where to generate correct cert ???

[vrutkovs]

Please fill in the template when creating a new bug - version, log bundle (if available), machine boot logs etc.

[kcns008]

Thanks, @vrutkovs for a response.

Describe the bug

Getting below error while Adding Master and Worker

ignition[483]: Get Error: x509: certificate signed by unknown authority

I was able to Add Bootstrap node with FCOS without any issue and when trying master and worker getting above error.

Version

4.4.0-0.okd-2020-04-21-163702-beta4

How reproducible

Use CentOS - HAproxy as Load Balancer and when trying to create a cluster with Bootstrap, Master and Worker Node with FCOS

https://medium.com/@craig_robinson/openshift-4-4-okd-bare-metal-install-on-vmware-home-lab-6841ce2d37eb

[kcns008]

@vrutkovs I changed mode from TCP to HTTP into HAProxy router and now getting

server gave http response to https client

https://imgur.com/a/7wVom4q

[giatule]

Hi guy, Please try to regenerate the ignition file and delete VM HDD. then restart the process from the bootstap again. I got the same issue with you. tried one-by-one so many time. now it passed the issue.

[vrutkovs]

No log bundle provided

[RyuunoAelia]

I happen to have the same issue, and found out some interesting things while debugging. (I cannot give and "log bundle" since "nothing is starting" I only have a single lone bootstrap node.

During my debugging I found out that the ignition configuration generated by the installed for masters and workers contains a certificate authority: with Subject: OU = openshift, CN = root-ca

-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIIVx7d6nE5AEowDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE
CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTIwMDYxNDEzNTMyNFoX
DTMwMDYxMjEzNTMyNFowJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy
b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuAFjcMn5yvyU
LpvKgsWzAdx7gQTpF+HGJ56Eoe9+7BzpJW/Y4umw4Mp6PHrsJVQ7WrNaEhPEgAFx
7Fwps70dAlFesDhW+ZmJus4y3zp4BmQGCRYyps3AyrebVmczkmPPIPcblMZairr6
ysn6icH2/zF/SV3JAk8hNgy0qVuMN4akkmY8AmSm+qtdemhAhgaO+WCfP3P6WG+J
Y8W1RDSn9TVirQ8+jsEwhKK2UNU81jaqMMyzdaLNC5bF8LwRFDiw/7TBAFVjv5Ew
CEeb9kiIsCXtmANTCZbULtIfrEK7qQyl63jSO1if4uECQljnkmZXkzpUlXog1F0l
ZG10f2kSqQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU9scm4lZmUOJ6IagnTbPP3QsJ9K4wDQYJKoZIhvcNAQELBQAD
ggEBAEmYBMVeIPVpK2Pc6i8f9ToM+OUhpadod0uANKiUmXVLNz946MEwdYxgayGz
MtXjkMY6ZR1CvEQyhv0pSNJoiH3PofDA0JqmPIOrfWgw6MxLoDXPfKQhCjJPtFfY
m070TVCwfWg2TGxnub0M2hFmpQle53v5kA8x6MQV8aCQV0pAAufgfjVQwYl/lGLg
yrZ/3fU6KDVHLYaAJ3r/wMAoK1upks88nw7c8+BIcbFhHlezVvWV3NT6NfYwN/k1
c/uuCxqx/RfSlUUJ7rG+J7OrPXc9GK6mIWuvRSaQ4yKAKoL7Fj3JdKA+tS6LsG9g
rgotTMR1SrRzmriYeqRkUze/gOc=
-----END CERTIFICATE-----

But this CA does NOT appear in the certificate chain of machineapi or kubeapi on the bootstrap node:

openssl s_client -showcerts -connect api-int.okd.nextswiss.cloud:22623 
CONNECTED(00000004)                         
depth=1 OU = openshift, CN = kube-apiserver-lb-signer
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 OU = openshift, CN = kube-apiserver-lb-signer
verify return:1
depth=0 O = kube-master, CN = system:kube-apiserver
verify return:1
---
Certificate chain
 0 s:O = kube-master, CN = system:kube-apiserver
   i:OU = openshift, CN = kube-apiserver-lb-signer
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIIacVkr1EmhpswDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE
CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw
HhcNMjAwNjE0MTM1MzM0WhcNMjAwNjE1MTM1MzM1WjA2MRQwEgYDVQQKEwtrdWJl
LW1hc3RlcjEeMBwGA1UEAxMVc3lzdGVtOmt1YmUtYXBpc2VydmVyMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnKvuL+yFEqFxVLQQMXSOG9Rsvn/kuktV
WtJp72nW5/ECm3tSd87lxEiL3vC2aL3ZNzNRAQfo0BKmaKfFaZGfu+GXuA8C5voU
X0kXQOsYD0qN7ldaXlj92Iekm/TknNi139RgBRsrCxuDPbxYiN4onfCPdVOMDBGL
FwCvWxGyxx/cEzbQNS6hSoVoKLvo/LHh0r+QN//oR3pmS/q+mSpDUED2biwtO6hJ
hX1b1zC2yZqzLVvR24yxDA8uFwk0e2oHawBufFJOuk7RJfe8nxbV14QZIFvcaky9
4N01Acu6GQKlu8/57QSZufkeXHi1D0z2eM5ou5KG3Io2+Wegg2jiYwIDAQABo4Ge
MIGbMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBSnosfyJwqLmUTL4E7fdpR7+GzfpTAfBgNVHSMEGDAW
gBSnosfyJwqLmUTL4E7fdpR7+GzfpTAmBgNVHREEHzAdghthcGktaW50Lm9rZC5u
ZXh0c3dpc3MuY2xvdWQwDQYJKoZIhvcNAQELBQADggEBAI/z5mJpLqWRkOvrKy+n
bn8IH50wNq/doPmwMkU044GoIwb0+dFy+CiwvQz1HDDiHD3h2hfetUa4PWvwLbbC
8x0ctxYSyusVnfny2P+XdpO1WG0n6meqhYhqLhsdMqh5B7njvCqZxkV63tI81OXw
yYCMLzoTIwp4eF4+y+Ji1ZnilMLQBARw36WdLDx/EPk1acFoNxn7g8T7vIoqpRLO
H07fnKkSJ/jSt9v4e6wkWUuXRXPGYbL2zEomcIm3RuP/Ugqgxwz9TRt6qK4y59xk
syzPct76DPTONYH9IrRmMZGGwLRH4In3EZ4HQAu8FI7/j5r8KphOi8zGJQUtxl6o
paI=
-----END CERTIFICATE-----
 1 s:OU = openshift, CN = kube-apiserver-lb-signer
   i:OU = openshift, CN = kube-apiserver-lb-signer
-----BEGIN CERTIFICATE-----
MIIDMjCCAhqgAwIBAgIIJ/FKYIzHKfUwDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE
CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw
HhcNMjAwNjE0MTM1MzM0WhcNMzAwNjEyMTM1MzM0WjA3MRIwEAYDVQQLEwlvcGVu
c2hpZnQxITAfBgNVBAMTGGt1YmUtYXBpc2VydmVyLWxiLXNpZ25lcjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP0dRwEC0sPPq9BRlM2V5lyaTIfhiim
QyzWLXtnNdmfdUXh5sW4eHHWFFP2gdIZySOb0E5pmDFVagFC//DOvOZqYj/TTEfE
9pgCfCoHRbnW6rMST/nGu4g0q5vBoy+qrCGnFJHgdQJQe6RVvT8/a3J7ZoZtUcBp
dAgGWJ5HiX9a7KKAv7ucTfaWFuRLTLAVxB5qIVh6nlCTcgHib8EeCMWjAlQ9fTBm
wvPrFnYYLX3C4C7L716lLJJrJXrCus3O1BG3TlIUTwRk6+n9YD+nuxj8md15XhsV
v4m+DPSvXDEhCiosuLZxoEGiYtFXdOumidOHNmkMvIPWWJzJeK4XcCkCAwEAAaNC
MEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKei
x/InCouZRMvgTt92lHv4bN+lMA0GCSqGSIb3DQEBCwUAA4IBAQBklffDCER15P1m
xGvUpRCRYL3dFRZvmrtcGekYKh/6UZOU3rmCBWokTnzoKrwjRAEpNCA08Vwb1DNz
Vt+yRBdTaNdfMhwQlY8T2tiqpZqrjT2xO8/6/cc+iLV6mvLGRLVlL0mtsAntdceJ
GvxPML6QODr2uewGrpYp8K6P54/UEQQLtyQbx2XT5t3yWLUaIOr1l8d9pxty1Dgj
Q9tBwy4XQ6shQjpVwT0L3yJaNOLCePHaZu9tgtwTTK5zXl6yqSgpQfdPW5ILeVRk
1G2XmXHYW9SLKnISvjD3tpheXrYlxZxOc+CFCs9EpmfJd81Dzc7LBnD5RVkSAZYG
YfwwXoG9
-----END CERTIFICATE-----
---
Server certificate
subject=O = kube-master, CN = system:kube-apiserver

issuer=OU = openshift, CN = kube-apiserver-lb-signer

---
Acceptable client certificate CA names
OU = openshift, CN = admin-kubeconfig-signer
OU = openshift, CN = kubelet-signer
OU = openshift, CN = kube-control-plane-signer
OU = openshift, CN = kube-apiserver-to-kubelet-signer
OU = openshift, CN = kubelet-bootstrap-kubeconfig-signer
OU = openshift, CN = aggregator-signer
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2726 bytes and written 429 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 7F44E66640D8ADBCE92800D9EE77A617401581074EEEF97AD65547DD16CF7111
    Session-ID-ctx: 
    Resumption PSK: 9110C31B3C1E556BCA9534814808484E7BD987F79243D241633A44FE74137C92BB52DF465D438413212EC953C36EA1D5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 54 e6 01 ca 8f f6 fa 5d-d9 e9 d0 ab b2 97 99 cb   T......]........
    0010 - 16 15 98 16 5e 28 1a da-a9 8a 0d 17 5b 7e ed 36   ....^(......[~.6
    0020 - 6c 84 9e f4 6e 39 7f 34-02 0b 4b ae 70 7e ad 6e   l...n9.4..K.p~.n
    0030 - 26 f8 85 f9 ce df ae 9b-c4 a9 46 75 90 18 7a 6a   &.........Fu..zj
    0040 - 8d 72 b4 d2 be 54 29 76-6b 15 bd 04 14 fa 63 e4   .r...T)vk.....c.
    0050 - a8 6b ba d7 6a db 5c ab-10 3e 32 5f d7 e3 6d 4c   .k..j.\..>2_..mL
    0060 - a5 3a 74 a3 87 99 c2 c8-be 6d 88 9e 91 82 2a 76   .:t......m....*v
    0070 - b4 cd c4 7b 67 6f 5b a3-1a b4 b6 c2 bb 2a a8 c5   ...{go[......*..
    0080 - b8                                                .

    Start Time: 1592150149
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---

Thus I would say it is expected that ignition cannot validate the certificate of machineapi. Maybe I can extract some logs from the bootstrap node.

[RyuunoAelia]

... Ok it took me a while and re-reading my post here to realize the machineapi load-balancer frontend was pointing to the kubeapi backend...

[eduardolucioac]

If you want to do a bare metal (UPI) installation of OKD 4.X take a look here https://github.com/eduardolucioac/okd_bare_metal . 🤗