Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openshift-install create cluster | Master Node Error Message: get .../config/master tls: failed to verify certificate: x509 | proxy issue ? #8304

Open
n00bsi opened this issue Apr 23, 2024 · 2 comments
Open

openshift-install create cluster | Master Node Error Message: get .../config/master tls: failed to verify certificate: x509 | proxy issue ? #8304

n00bsi opened this issue Apr 23, 2024 · 2 comments

Comments

@n00bsi
Copy link

n00bsi commented Apr 23, 2024
edited
Loading

Version

4.15.8

$ openshift-install version
built from commit f4f5d0ee0f7591fd9ddf03ac337c804608102919
release image quay.io/openshift-release-dev/ocp-release@sha256:5c82cea5931996af509231c7a5a1611bcfd927dca4e362e6443d1f8a77a517c2
release architecture amd64

Platform: vSphere

What happened?

Tryed to install OpenShift Cluster on vSphere 7
The VMs are created but write error message on the Console of MasterNodes.

The VMs are behing a HTTP Proxy

Screenshot from 2024-04-23 09-11-35

Bootstrap Node show:

Screenshot from 2024-04-23 10-07-42

$ curl -kv https://quay.io/openshift-release-dev/ocp-release@sha256:aba54b293dc151f5c0fd96d4353ced6ced3e7da6620c1c10714ab32d0577486f* Could not resolve host: quay.io
* Closing connection 0
curl: (6) Could not resolve host: quay.io



when add manual the proxy parameter curl downloads

When open the URL got the config file
but have to accept the unknown SSL Cert

See the troubleshooting documentation for ideas about what information to collect.
For example, if the installer fails to create resources, attach the relevant portions of your .openshift_install.log.

openshift_install.log

What you expected to happen?

that the installer runs well
and the Cluster come up

How to reproduce it (as minimally and precisely as possible)?

wget --no-check-certificate vCenter.yourdomain.tld/certs/download.zip

unzip download.zip

su - root

cp certs/lin/* /etc/pki/ca-trust/source/anchors

update-ca-trust extract


export no_proxy=.ourdomain.tld
export https_proxy=http://username:password@proxy.ourdomain.tld:3128

./openshift-install create cluster

[osadmin@osdemo ~]$ ./openshift-install create cluster
? SSH Public Key /home/osadmin/.ssh/id_rsa.pub
? Platform vsphere
? vCenter vc01.ourdomain.tld
? Username username
? Password [? for help] **************
INFO Connecting to vCenter  vc01.ourdomain.tld   
? Datacenter Datacenter
? Cluster /Datacenter/host/Cluster7
? Default Datastore /Datacenter/datastore/a300_lun45
? Network VLAN_0
? Virtual IP Address for API     192.168.1.227 ( api.osctest.ourdomain.tld )
? Virtual IP Address for Ingress 192.168.1.228  ( console-openshift-console.apps.osctest.ourdomain.tld )   
? Base Domain ourdomain.tld
? Cluster Name osctest
? Pull Secret [? for help] *****************************************************************************************************************************************



NFO Creating infrastructure resources...         
INFO Waiting up to 20m0s (until 5:21AM EDT) for the Kubernetes API at https://api.osctest.ourdomain.tld:6443... 
WARNING Failed to extract host addresses: could not extract IP with bootstrap MOID:  
INFO Skipping VM console logs gather: no gather methods registered for "vsphere" 
INFO Pulling debug logs from the bootstrap machine 
WARNING Unable to stat /home/osadmin/serial-log-bundle-20240423052123.tar.gz, skipping 
ERROR Attempted to gather ClusterOperator status after installation failure: listing ClusterOperator objects: Get "https://api.osctest.ourdomain.tld:6443/apis/config.openshift.io/v1/clusteroperators": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-apiserver-lb-signer") 
ERROR Bootstrap failed to complete: Get "https://api.osctest.ourdomain.tld:6443/version": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-apiserver-lb-signer") 
ERROR Failed waiting for Kubernetes API. This error usually happens when there is a problem on the bootstrap host that prevents creating a temporary control plane. 
ERROR The bootstrap machine failed to download the release image 
INFO Pull failed. Retrying quay.io/openshift-release-dev/ocp-release@sha256:5c82cea5931996af509231c7a5a1611bcfd927dca4e362e6443d1f8a77a517c2... 
INFO Error: initializing source docker://quay.io/openshift-release-dev/ocp-release@sha256:5c82cea5931996af509231c7a5a1611bcfd927dca4e362e6443d1f8a77a517c2: pinging container registry quay.io: Get "https://quay.io/v2/": dial tcp: lookup quay.io on 192.168.21.32:53: no such host 
INFO 2024-04-23 09:21:24.081569673 +0000 UTC m=+0.018239684 image pull  quay.io/openshift-release-dev/ocp-release@sha256:5c82cea5931996af509231c7a5a1611bcfd927dca4e362e6443d1f8a77a517c2 
INFO Bootstrap gather logs captured here "/home/osadmin/log-bundle-20240423052123.tar.gz"

How to setup CIDR and CNI Hostnames, NTP, ..... ?
@n00bsi n00bsi changed the title openshift-install create cluster | Master Node Error Message: get .../config/master tls: failed to verify certificate: x509 openshift-install create cluster | Master Node Error Message: get .../config/master tls: failed to verify certificate: x509 | proxy issue ? Apr 23, 2024
@n00bsi
Copy link
Author

n00bsi commented Apr 24, 2024
edited
Loading

Found a solution for proxy:

platform:
...
...
proxy:
httpsProxy: http://username:password@proxy.ourdomain.tld:3128
httpProxy: http://username:password@proxy.ourdomain.tld:3128
noProxy: .ourdomain.tld,10.199.0.0/20,10.199.16.0/24

@n00bsi
Copy link
Author

n00bsi commented Apr 24, 2024
edited
Loading

but the verify error is still there

W0424 01:39:49.282000   26286 reflector.go:535] k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *v1.ConfigMap: Get "https://api.osctest.ourdomain.tld:6443/api/v1/namespaces/kube-system/configmaps?fieldSelector=metadata.name%3Dbootstrap&resourceVersion=3229": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-apiserver-lb-signer")
E0424 01:39:49.282124   26286 reflector.go:147] k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: Get "https://api.osctest.ourdomain.tld:6443/api/v1/namespaces/kube-system/configmaps?fieldSelector=metadata.name%3Dbootstrap&resourceVersion=3229": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-apiserver-lb-signer")
W0424 01:40:40.034563   26286 reflector.go:535] k8s.io/client-go/tools/watch/informerwatcher.go:146: failed to list *v1.ConfigMap: Get "https://api.osctest.ourdomain.tld:6443/api/v1/namespaces/kube-system/configmaps?fieldSelector=metadata.name%3Dbootstrap&resourceVersion=3229": dial tcp 192.168.1.227:6443: connect: connection refused
E0424 01:40:40.034672   26286 reflector.go:147] k8s.io/client-go/tools/watch/informerwatcher.go:146: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: Get "https://api.osctest.ourdomain.tld:6443/api/v1/namespaces/kube-system/configmaps?fieldSelector=metadata.name%3Dbootstrap&resourceVersion=3229": dial tcp 192.168.1.227:6443: connect: connection refused

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@n00bsi