[Bug 1136246] New: Invalid certificate with Admin node. build 20190521
http://bugzilla.suse.com/show_bug.cgi?id=1136246 Bug ID: 1136246 Summary: Invalid certificate with Admin node. build 20190521 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kubic Assignee: kubic-bugs@opensuse.org Reporter: jason.evans@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Issue: Unable to initialize certificates or kubicctl admin:~ # kubicctl certificates initialize Error invoking certstrap: exit status 1 CA with specified name "Kubic-Control-CA" already exists! Error creating CA: exit status 1 admin:~ # kubicctl init --pod-network cilium Initializing kubernetes master can take several minutes, please be patient. Could not initialize: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1136246
http://bugzilla.suse.com/show_bug.cgi?id=1136246#c1
--- Comment #1 from Jason Evans
http://bugzilla.suse.com/show_bug.cgi?id=1136246
http://bugzilla.suse.com/show_bug.cgi?id=1136246#c2
Thorsten Kukuk
http://bugzilla.suse.com/show_bug.cgi?id=1136246
http://bugzilla.suse.com/show_bug.cgi?id=1136246#c3
Jason Evans
systemctl is-enabled kubicd-init
Is that enabled?
It is enabled but it failed. linux-623w:~ # systemctl status kubicd-init ● kubicd-init.service - Create certificates for KubicD Loaded: loaded (/usr/lib/systemd/system/kubicd-init.service; enabled; vendor preset: disabled) Active: inactive (dead) Condition: start condition failed at Sat 2019-06-01 10:41:20 UTC; 1h 14min ago Jun 01 10:41:20 linux-623w systemd[1]: Condition check resulted in Create certificates for KubicD being skipped.
If you look at the timestamp of the certificates in /etc/kubicd/pki, looks the time of the files correct?
What is the validy timeframe if you run: openssl x509 -in /etc/kubicd/pki/Kubic-Control-CA.crt -text -noout
linux-623w:~ # openssl x509 -in /etc/kubicd/pki/Kubic-Control-CA.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Kubic-Control-CA Validity Not Before: Jun 1 10:31:42 2019 GMT Not After : Dec 1 10:31:42 2020 GMT Subject: CN = Kubic-Control-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: xxx Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: 1D:8C:D3:5C:B2:5C:11:9B:79:75:99:A9:BB:BA:59:5D:29:C6:FF:0A Signature Algorithm: sha256WithRSAEncryption xxx
I could only imagine, that either the systemd service to create the certificates did run before the time was set correct, ~/.config/kubicctl/user.* does not match /etc/kubicd/pki/admin.*, or something broke the files in /etc/kubicd/pki
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1136246
http://bugzilla.suse.com/show_bug.cgi?id=1136246#c4
--- Comment #4 from Thorsten Kukuk
linux-623w:~ # openssl x509 -in /etc/kubicd/pki/Kubic-Control-CA.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Kubic-Control-CA Validity Not Before: Jun 1 10:31:42 2019 GMT Not After : Dec 1 10:31:42 2020 GMT
This looks like a new installation and not from the system where the error did occur? Do you even with the new certificate still see the error? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1136246
http://bugzilla.suse.com/show_bug.cgi?id=1136246#c5
--- Comment #5 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1136246
http://bugzilla.suse.com/show_bug.cgi?id=1136246#c6
Thorsten Kukuk
participants (1)
-
bugzilla_noreply@novell.com