Closed kcns008 closed 4 years ago
Please fill in the template when creating a new bug - version, log bundle (if available), machine boot logs etc.
Thanks, @vrutkovs for a response.
Describe the bug
Getting below error while Adding Master and Worker
ignition[483]: Get Error: x509: certificate signed by unknown authority
I was able to Add Bootstrap node with FCOS without any issue and when trying master and worker getting above error.
Version
4.4.0-0.okd-2020-04-21-163702-beta4
How reproducible
Use CentOS - HAproxy as Load Balancer and when trying to create a cluster with Bootstrap, Master and Worker Node with FCOS
@vrutkovs I changed mode from TCP to HTTP into HAProxy router and now getting
server gave http response to https client
Hi guy, Please try to regenerate the ignition file and delete VM HDD. then restart the process from the bootstap again. I got the same issue with you. tried one-by-one so many time. now it passed the issue.
No log bundle provided
I happen to have the same issue, and found out some interesting things while debugging. (I cannot give and "log bundle" since "nothing is starting" I only have a single lone bootstrap node.
During my debugging I found out that the ignition configuration generated by the installed for masters and workers contains a certificate authority: with Subject: OU = openshift, CN = root-ca
-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIIVx7d6nE5AEowDQYJKoZIhvcNAQELBQAwJjESMBAGA1UE
CxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdyb290LWNhMB4XDTIwMDYxNDEzNTMyNFoX
DTMwMDYxMjEzNTMyNFowJjESMBAGA1UECxMJb3BlbnNoaWZ0MRAwDgYDVQQDEwdy
b290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuAFjcMn5yvyU
LpvKgsWzAdx7gQTpF+HGJ56Eoe9+7BzpJW/Y4umw4Mp6PHrsJVQ7WrNaEhPEgAFx
7Fwps70dAlFesDhW+ZmJus4y3zp4BmQGCRYyps3AyrebVmczkmPPIPcblMZairr6
ysn6icH2/zF/SV3JAk8hNgy0qVuMN4akkmY8AmSm+qtdemhAhgaO+WCfP3P6WG+J
Y8W1RDSn9TVirQ8+jsEwhKK2UNU81jaqMMyzdaLNC5bF8LwRFDiw/7TBAFVjv5Ew
CEeb9kiIsCXtmANTCZbULtIfrEK7qQyl63jSO1if4uECQljnkmZXkzpUlXog1F0l
ZG10f2kSqQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU9scm4lZmUOJ6IagnTbPP3QsJ9K4wDQYJKoZIhvcNAQELBQAD
ggEBAEmYBMVeIPVpK2Pc6i8f9ToM+OUhpadod0uANKiUmXVLNz946MEwdYxgayGz
MtXjkMY6ZR1CvEQyhv0pSNJoiH3PofDA0JqmPIOrfWgw6MxLoDXPfKQhCjJPtFfY
m070TVCwfWg2TGxnub0M2hFmpQle53v5kA8x6MQV8aCQV0pAAufgfjVQwYl/lGLg
yrZ/3fU6KDVHLYaAJ3r/wMAoK1upks88nw7c8+BIcbFhHlezVvWV3NT6NfYwN/k1
c/uuCxqx/RfSlUUJ7rG+J7OrPXc9GK6mIWuvRSaQ4yKAKoL7Fj3JdKA+tS6LsG9g
rgotTMR1SrRzmriYeqRkUze/gOc=
-----END CERTIFICATE-----
But this CA does NOT appear in the certificate chain of machineapi or kubeapi on the bootstrap node:
openssl s_client -showcerts -connect api-int.okd.nextswiss.cloud:22623
CONNECTED(00000004)
depth=1 OU = openshift, CN = kube-apiserver-lb-signer
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 OU = openshift, CN = kube-apiserver-lb-signer
verify return:1
depth=0 O = kube-master, CN = system:kube-apiserver
verify return:1
---
Certificate chain
0 s:O = kube-master, CN = system:kube-apiserver
i:OU = openshift, CN = kube-apiserver-lb-signer
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIIacVkr1EmhpswDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE
CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw
HhcNMjAwNjE0MTM1MzM0WhcNMjAwNjE1MTM1MzM1WjA2MRQwEgYDVQQKEwtrdWJl
LW1hc3RlcjEeMBwGA1UEAxMVc3lzdGVtOmt1YmUtYXBpc2VydmVyMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnKvuL+yFEqFxVLQQMXSOG9Rsvn/kuktV
WtJp72nW5/ECm3tSd87lxEiL3vC2aL3ZNzNRAQfo0BKmaKfFaZGfu+GXuA8C5voU
X0kXQOsYD0qN7ldaXlj92Iekm/TknNi139RgBRsrCxuDPbxYiN4onfCPdVOMDBGL
FwCvWxGyxx/cEzbQNS6hSoVoKLvo/LHh0r+QN//oR3pmS/q+mSpDUED2biwtO6hJ
hX1b1zC2yZqzLVvR24yxDA8uFwk0e2oHawBufFJOuk7RJfe8nxbV14QZIFvcaky9
4N01Acu6GQKlu8/57QSZufkeXHi1D0z2eM5ou5KG3Io2+Wegg2jiYwIDAQABo4Ge
MIGbMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBSnosfyJwqLmUTL4E7fdpR7+GzfpTAfBgNVHSMEGDAW
gBSnosfyJwqLmUTL4E7fdpR7+GzfpTAmBgNVHREEHzAdghthcGktaW50Lm9rZC5u
ZXh0c3dpc3MuY2xvdWQwDQYJKoZIhvcNAQELBQADggEBAI/z5mJpLqWRkOvrKy+n
bn8IH50wNq/doPmwMkU044GoIwb0+dFy+CiwvQz1HDDiHD3h2hfetUa4PWvwLbbC
8x0ctxYSyusVnfny2P+XdpO1WG0n6meqhYhqLhsdMqh5B7njvCqZxkV63tI81OXw
yYCMLzoTIwp4eF4+y+Ji1ZnilMLQBARw36WdLDx/EPk1acFoNxn7g8T7vIoqpRLO
H07fnKkSJ/jSt9v4e6wkWUuXRXPGYbL2zEomcIm3RuP/Ugqgxwz9TRt6qK4y59xk
syzPct76DPTONYH9IrRmMZGGwLRH4In3EZ4HQAu8FI7/j5r8KphOi8zGJQUtxl6o
paI=
-----END CERTIFICATE-----
1 s:OU = openshift, CN = kube-apiserver-lb-signer
i:OU = openshift, CN = kube-apiserver-lb-signer
-----BEGIN CERTIFICATE-----
MIIDMjCCAhqgAwIBAgIIJ/FKYIzHKfUwDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE
CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw
HhcNMjAwNjE0MTM1MzM0WhcNMzAwNjEyMTM1MzM0WjA3MRIwEAYDVQQLEwlvcGVu
c2hpZnQxITAfBgNVBAMTGGt1YmUtYXBpc2VydmVyLWxiLXNpZ25lcjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP0dRwEC0sPPq9BRlM2V5lyaTIfhiim
QyzWLXtnNdmfdUXh5sW4eHHWFFP2gdIZySOb0E5pmDFVagFC//DOvOZqYj/TTEfE
9pgCfCoHRbnW6rMST/nGu4g0q5vBoy+qrCGnFJHgdQJQe6RVvT8/a3J7ZoZtUcBp
dAgGWJ5HiX9a7KKAv7ucTfaWFuRLTLAVxB5qIVh6nlCTcgHib8EeCMWjAlQ9fTBm
wvPrFnYYLX3C4C7L716lLJJrJXrCus3O1BG3TlIUTwRk6+n9YD+nuxj8md15XhsV
v4m+DPSvXDEhCiosuLZxoEGiYtFXdOumidOHNmkMvIPWWJzJeK4XcCkCAwEAAaNC
MEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKei
x/InCouZRMvgTt92lHv4bN+lMA0GCSqGSIb3DQEBCwUAA4IBAQBklffDCER15P1m
xGvUpRCRYL3dFRZvmrtcGekYKh/6UZOU3rmCBWokTnzoKrwjRAEpNCA08Vwb1DNz
Vt+yRBdTaNdfMhwQlY8T2tiqpZqrjT2xO8/6/cc+iLV6mvLGRLVlL0mtsAntdceJ
GvxPML6QODr2uewGrpYp8K6P54/UEQQLtyQbx2XT5t3yWLUaIOr1l8d9pxty1Dgj
Q9tBwy4XQ6shQjpVwT0L3yJaNOLCePHaZu9tgtwTTK5zXl6yqSgpQfdPW5ILeVRk
1G2XmXHYW9SLKnISvjD3tpheXrYlxZxOc+CFCs9EpmfJd81Dzc7LBnD5RVkSAZYG
YfwwXoG9
-----END CERTIFICATE-----
---
Server certificate
subject=O = kube-master, CN = system:kube-apiserver
issuer=OU = openshift, CN = kube-apiserver-lb-signer
---
Acceptable client certificate CA names
OU = openshift, CN = admin-kubeconfig-signer
OU = openshift, CN = kubelet-signer
OU = openshift, CN = kube-control-plane-signer
OU = openshift, CN = kube-apiserver-to-kubelet-signer
OU = openshift, CN = kubelet-bootstrap-kubeconfig-signer
OU = openshift, CN = aggregator-signer
Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA384:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2726 bytes and written 429 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7F44E66640D8ADBCE92800D9EE77A617401581074EEEF97AD65547DD16CF7111
Session-ID-ctx:
Resumption PSK: 9110C31B3C1E556BCA9534814808484E7BD987F79243D241633A44FE74137C92BB52DF465D438413212EC953C36EA1D5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 54 e6 01 ca 8f f6 fa 5d-d9 e9 d0 ab b2 97 99 cb T......]........
0010 - 16 15 98 16 5e 28 1a da-a9 8a 0d 17 5b 7e ed 36 ....^(......[~.6
0020 - 6c 84 9e f4 6e 39 7f 34-02 0b 4b ae 70 7e ad 6e l...n9.4..K.p~.n
0030 - 26 f8 85 f9 ce df ae 9b-c4 a9 46 75 90 18 7a 6a &.........Fu..zj
0040 - 8d 72 b4 d2 be 54 29 76-6b 15 bd 04 14 fa 63 e4 .r...T)vk.....c.
0050 - a8 6b ba d7 6a db 5c ab-10 3e 32 5f d7 e3 6d 4c .k..j.\..>2_..mL
0060 - a5 3a 74 a3 87 99 c2 c8-be 6d 88 9e 91 82 2a 76 .:t......m....*v
0070 - b4 cd c4 7b 67 6f 5b a3-1a b4 b6 c2 bb 2a a8 c5 ...{go[......*..
0080 - b8 .
Start Time: 1592150149
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
Max Early Data: 0
---
Thus I would say it is expected that ignition cannot validate the certificate of machineapi. Maybe I can extract some logs from the bootstrap node.
... Ok it took me a while and re-reading my post here to realize the machineapi load-balancer frontend was pointing to the kubeapi backend...
If you want to do a bare metal (UPI) installation of OKD 4.X take a look here https://github.com/eduardolucioac/okd_bare_metal . 🤗
I followed the above article (https://medium.com/@craig_robinson/openshift-4-4-okd-bare-metal-install-on-vmware-home-lab-6841ce2d37eb ) and while booting - master and worker getting following error of cert - I can see a solution at https://access.redhat.com/solutions/4271572 but where to generate correct cert ???