x509 certificate signed by unknown authority in openshift-install single node

[sergiomanzanero]

Hello, I am trying to install okd following the guide of cgruver

https://cgruver.github.io/okd4-single-node-cluster/

and when i run the following command it shows a certificate error (i have created it signed with letsNcrypt)

openshift-install --dir=${OKD4_SNC_PATH}/okd4-install-dir wait-for bootstrap-complete --log-level debug

x509 certificate signed by unknown authority

can you help me? I want to set up a laboratory with okd to improve as a technician

[rvanderp3]

@sergiomanzanero it sounds like the installer is communicating with a service serving a cert signed by another CA. Confirm that that API URL isn't serving an old certificate and that the API URL refers to the newly provisioned control plane and bootstrap node.

[sergiomanzanero]

Him @rvanderp3, If I access by browser, the ssl shown is the correct one from Let'sNcrypt. Can we force the installer to load the same ssl or check which one is loading? I have reviewed the log and I do not get valid information

[rvanderp3]

OKD doesn't sign certs with Let's Encrypt, so that could be the issue. The API URL should be presenting a certificate signed by the OKD certificate signer. I'm not sure the installer recognizes an API cert signed by Let's Encrypt.

[sergiomanzanero]

I should not have explained myself, apologies. I don't want OKD to sign any certificate, but to accept the certificate issued by Let's Encrypt, I need one of these two options:
a) install okd single node in cloud with a certificate from Let's Encrypt.
b) install okd single node on cloud without certificate

I have seen many manuals, is it possible to do any of these actions? The server and the api will only be accessible from two specific ip's, controlled with a firewall located before the machine with okd

[rvanderp3]

OKD will inevitably be used to sign many of the certificates used by the platform. You can, however, update the public API certificate after install and that may be the easiest route. Another thing you might try is adding the Let's Encrypt CA bundle to the additionalTrustBundle in the install-config.yaml. I believe, by default, the installer is using the CA chain it creates to validate the authenticity of the API certificate and additionalTrustBundle may allow you to add the Let's Encrypt cert chain. Also, are you putting a load balancer in front of the bootstrap and control plane nodes?

[sergiomanzanero]

No, I am performing the default installation as indicated in the manual write by cgruver, without complicating it, since it is the first UPI I am performing, and it is better not to experiment.

Could I install without ssl and activate it later?

[rvanderp3]

No, you can't install a cluster with a non-TLS API, it will always use TLS. You can, however, install with the default certificates and install the API certificate of choice after installation though.

[sergiomanzanero]

I missed something in the installation. When I run

openshift-install --dir=${OKD4_SNC_PATH}/okd4-install-dir wait-for bootstrap-complete --log-level debug

without installing the certificate, the console tells me it is an HTTP request and redirects to HTTPS. If I install the certificate, I get error x509.

Do you have another guide or someone made a script to install okd in single node mode?

We are talking about something basic in the installation fails, if I do not get to deploy the initial cluster.

[sergiomanzanero]

I also want to comment, that the initial script, or the repo, has errors, which makes it difficult to follow the steps

++ cat /root/okd4-snc/work-dir/ignition/bootstrap.yml
++ /root/okd4-snc/work-dir/fcct -d /root/okd4-snc/okd4-install-dir/ -o /root/okd4-snc/work-dir/ignition/bootstrap.ign
error in $.ignition.config.merge.0.local, line 6 col 16: open /root/okd4-snc/okd4-install-dir/.ign: no such file or directory
Error translating config: source config is invalid
++ cat /root/okd4-snc/work-dir/ignition/master.yml
++ /root/okd4-snc/work-dir/fcct -d /root/okd4-snc/okd4-install-dir/ -o /root/okd4-snc/work-dir/ignition/master.ign
cat: /root/okd4-snc/work-dir/ignition/master.yml: No such file or directory
Error translating config: Error parsing variant. Variant must be specified
++ cp -r '/root/okd4-snc/work-dir/ignition/.ign' /usr/share/nginx/html/install/fcos/ignition/
cp: cannot stat '/root/okd4-snc/work-dir/ignition/.ign': No such file or directory

If anyone has any ideas, I'd appreciate it, otherwise, I'm discarding the project as of today.

[melledouwsma]

Please note the referenced guide is a bit dated. It uses OKD 4.7 for example, where 4.13 is the current release. You can look at #1658 for more current pointers on creating a single node cluster.

As for certificates from LetsEncrypt, I would just install a new cluster with the default cluster-signed certificates and then follow Replacing the default ingress certificate and Adding API server certificates to replace the default certificates with the ones from LetsEncrypt.

[sergiomanzanero]

Hello @melledouwsma,

I understand you perfectly. I saw those posts yesterday too. However, the problem is in the DeployOkdSnc script, not in the OKD version, so the example is the one that is wrong. I have changed the updated version, and the same problem is generated, so it is not okd itself, it is another one.

Thanks for the attempt to help

[sergiomanzanero]

Thanks 4 all

[n00bsi]

@sergiomanzanero

Hi, could you explain how you fixed it ?