openshift/openshift-ansible

openshift-ansible install on openstack-ansible stack: cannot validate certificate because it doesn't contain any IP SANs

cake99 opened this issue · 8 comments

Description

Provide a brief description of your issue here. For example:

I have installed a openstack cloud with the help of openstack-ansible. Everything is running like it should.
The install creates a self-sign certificate while using the external IP as IP SANs.
While trying to install openshift with openshift-ansible, the installer complains about the lack of SANs in the certificate
I don't know how to get pass that error.

Version

ansible 2.10.5
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /openstack/venv/lib64/python3.6/site-packages/ansible
executable location = /openstack/venv/bin/ansible
python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

If you're operating from a git clone:

  • unreleased-master-4119-g8a70e974b
Steps To Reproduce
  1. configure the initial dir with the openstack config and auth (successful)
  2. running with a configured config file (bin/openshift-install --dir=initial create cluster)
Expected Results

Should continue with the install.
(venv) (venv) [root@osmgmt openshift-installer]# bin/openshift-install --dir=initial create cluster INFO Creating infrastructure resources... ERROR ERROR Error: Unable to query images: Get "https://[external IP]:9292/v2/images?name=oc1-4kxjd-rhcos&sort_dir=asc&sort_key=name&status=active": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: cannot validate certificate for [external IP] because it doesn't contain any IP SANs ERROR ERROR on ../../tmp/openshift-install-036080045/main.tf line 87, in data "openstack_images_image_v2" "base_image": ERROR 87: data "openstack_images_image_v2" "base_image" { ERROR ERROR ERROR ERROR Error: Unable to query OpenStack flavors: Get "https://[external IP]:8774/v2.1/flavors/detail?is_public=None": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: cannot validate certificate for [external IP] because it doesn't contain any IP SANs ... ERROR Failed to read tfstate: open /tmp/openshift-install-036080045/terraform.tfstate: no such file or directory FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply Terraform: failed to complete the change

Observed Results

The command returns that it doesn't see the list of SANs, but the certificate clearly shows the SANs configured:

---
Server certificate
subject=C = US, ST = Texas, L = San Antonio, O = IT, CN = [external IP], subjectAltName = IP.1=[external IP]

issuer=C = US, ST = Texas, L = San Antonio, O = IT, CN = [external IP], subjectAltName = IP.1=[external IP]
Additional Information
  • Management machine (running openshift-ansible): centos 8
  • Openstack servers: Ubuntu 20.04.1 LTS

clouds.yaml:

clouds:
  shiftstack:
    cacert: "/etc/pki/ca-trust/source/anchors/ca-certificates.crt"
    auth:
      auth_url: http://[internal IP]:5000/v3
      project_name: shiftstack
      username: ***
      password: ***
      user_domain_name: Default
      project_domain_name: Default
    verify: false

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

I still have the issue. Seems like I'm the only one installing openshift-ansible on top of openstack-ansible.

/remove-lifecycle rotten

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.