[Mirror the registry] task failed with the certificate issue when running the ansible-playbook -e vars.yaml tasks/main.yaml playbook.
The registry segment in the var files is as follows:
setup_registry: deploy: true autosync_registry: true registry_image: "docker.io/library/registry:2" local_repo: "ocp4/openshift4" product_repo: "openshift-release-dev" release_name: "ocp-release" release_tag: "4.14.9-ppc64le" registry_user: "admin" registry_password: "admin"
It fails with the following error:
TASK [Mirror the registry] ****************************************************************** fatal: [localhost]: FAILED! => {"changed": true, "cmd": "oc adm -a ~/.openshift/pull-secret-updated release mirror --from=quay.io/openshift-release-dev/ocp-release:4.14.9-ppc64le --to=registry.ocp.customer.domain:5000/ocp4/openshift4 --to-release-image=registry.ocp.customer.domain:5000/ocp4/openshift4:4.14.9-ppc64le", "delta": "0:00:00.703821", "end": "2024-01-29 11:02:34.732590", "msg": "non-zero return code", "rc": 1, "start": "2024-01-29 11:02:34.028769", "stderr": "Flag --print-mirror-instructions's value 'icsp' has been deprecated. Use 'idms' instead to allow the printing of instructions for ImageDigestSources and ImageDigestMirrorSet.\nerror: unable to retrieve release image info: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-ppc64le: Get \"https://quay.io/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority", "stderr_lines": ["Flag --print-mirror-instructions's value 'icsp' has been deprecated. Use 'idms' instead to allow the printing of instructions for ImageDigestSources and ImageDigestMirrorSet.", "error: unable to retrieve release image info: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-ppc64le: Get \"https://quay.io/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"], "stdout": "", "stdout_lines": []}
running the oc adm release mirror command on its own fails with the same error even with --insecure flag neither was curl -v https://quay.io/v2/. The customer using proxy to bridge out and the curl cmd show it is seeing that proxy in both cases, pointing us to this URL for help which was not really helpful: https://curl.se/docs/sslcerts.html
Troubleshooting pointed to this redhat url: https://access.redhat.com/solutions/6968243 which suggested the following resolution
Resolution
The following needs to be done on the host that oc adm release mirror is being run from:
1- The self-signed CA certificate for the registry must be put in the /etc/pki/ca-trust/source/anchors/ folder.
2- The update-ca-trust extract command must then be run to have the host trust the new CA certificate.
but it was not clear how to obtain the certificate mentioned in step 1.
[Mirror the registry] task failed with the certificate issue when running the ansible-playbook -e vars.yaml tasks/main.yaml playbook. The registry segment in the var files is as follows:
setup_registry: deploy: true autosync_registry: true registry_image: "docker.io/library/registry:2" local_repo: "ocp4/openshift4" product_repo: "openshift-release-dev" release_name: "ocp-release" release_tag: "4.14.9-ppc64le" registry_user: "admin" registry_password: "admin"It fails with the following error:
TASK [Mirror the registry] ****************************************************************** fatal: [localhost]: FAILED! => {"changed": true, "cmd": "oc adm -a ~/.openshift/pull-secret-updated release mirror --from=quay.io/openshift-release-dev/ocp-release:4.14.9-ppc64le --to=registry.ocp.customer.domain:5000/ocp4/openshift4 --to-release-image=registry.ocp.customer.domain:5000/ocp4/openshift4:4.14.9-ppc64le", "delta": "0:00:00.703821", "end": "2024-01-29 11:02:34.732590", "msg": "non-zero return code", "rc": 1, "start": "2024-01-29 11:02:34.028769", "stderr": "Flag --print-mirror-instructions's value 'icsp' has been deprecated. Use 'idms' instead to allow the printing of instructions for ImageDigestSources and ImageDigestMirrorSet.\nerror: unable to retrieve release image info: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-ppc64le: Get \"https://quay.io/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority", "stderr_lines": ["Flag --print-mirror-instructions's value 'icsp' has been deprecated. Use 'idms' instead to allow the printing of instructions for ImageDigestSources and ImageDigestMirrorSet.", "error: unable to retrieve release image info: unable to read image quay.io/openshift-release-dev/ocp-release:4.14.9-ppc64le: Get \"https://quay.io/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"], "stdout": "", "stdout_lines": []}running the
oc adm release mirrorcommand on its own fails with the same error even with --insecure flag neither wascurl -v https://quay.io/v2/. The customer using proxy to bridge out and the curl cmd show it is seeing that proxy in both cases, pointing us to this URL for help which was not really helpful: https://curl.se/docs/sslcerts.htmlTroubleshooting pointed to this redhat url: https://access.redhat.com/solutions/6968243 which suggested the following resolution Resolution The following needs to be done on the host that oc adm release mirror is being run from: 1- The self-signed CA certificate for the registry must be put in the /etc/pki/ca-trust/source/anchors/ folder. 2- The
update-ca-trust extractcommand must then be run to have the host trust the new CA certificate. but it was not clear how to obtain the certificate mentioned in step 1.Any help would very much be appreciated.