StarlingX

Cert-manager failed to connect with stepca issuer on a ipv6 system

Bug #1876337 reported by ayyappa
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Invalid
Medium
Greg Waines

Bug Description

Brief Description
-----------------
Cert-manager failed to connect with stepca issuer on a ipv6 system

Severity
--------
Major

Steps to Reproduce
------------------
1)On a ipv6 system, create a following stepca issuer with "kubectl create -f stepca-issuer.yaml"

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
 name: stepca-issuer
 namespace: cert-manager
spec:
 acme:
   server: https://acmeca.cumulus.wrs.com:8080/acme/acme/directory
   skipTLSVerify: true
   email: <email address hidden>
   privateKeySecretRef:
     name: stepca-issuer
   solvers:
   - http01:
       ingress:
         class: nginx

2)the cert-manager fails to resolve the domainname of stepca to ipv6, instead it resolves to ipv4 which is network unreachable

[sysadmin@controller-0 ~(keystone_admin)]$ kubectl describe clusterissuers.cert-manager.io
Name: stepca-issuer
Namespace:
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1alpha3
Kind: ClusterIssuer
Metadata:
  Creation Timestamp: 2020-05-01T14:08:30Z
  Generation: 1
  Managed Fields:
    API Version: cert-manager.io/v1alpha2
    Fields Type: FieldsV1
    fieldsV1:
      f:spec:
        .:
        f:acme:
          .:
          f:email:
          f:privateKeySecretRef:
            .:
            f:name:
          f:server:
          f:skipTLSVerify:
          f:solvers:
    Manager: kubectl
    Operation: Update
    Time: 2020-05-01T14:08:30Z
    API Version: cert-manager.io/v1alpha2
    Fields Type: FieldsV1
    fieldsV1:
      f:status:
        .:
        f:acme:
        f:conditions:
    Manager: controller
    Operation: Update
    Time: 2020-05-01T15:43:41Z
  Resource Version: 285266
  Self Link: /apis/cert-manager.io/v1alpha3/clusterissuers/stepca-issuer
  UID: bc0d12e8-0f94-48be-9273-4cc495f3b27d
Spec:
  Acme:
    Email: <email address hidden>
    Private Key Secret Ref:
      Name: stepca-issuer
    Server: https://acmeca.cumulus.wrs.com:8080/acme/acme/directory
    Skip TLS Verify: true
    Solvers:
      http01:
        Ingress:
          Class: nginx
Status:
  Acme:
  Conditions:
    Last Transition Time: 2020-05-01T14:08:30Z
    Message: Failed to verify ACME account: Post "https://128.224.196.78:8080/acme/acme/new-account": dial tcp 128.224.196.78:8080: connect: network is unreachable
    Reason: ErrRegisterACMEAccount
    Status: False
    Type: Ready
Events:
  Type Reason Age From Message
  ---- ------ ---- ---- -------
  Warning ErrInitIssuer 81m (x15 over 130m) cert-manager Error initializing issuer: Post "https://128.224.196.78:8080/acme/acme/new-account": dial tcp 128.224.196.78:8080: connect: network is unreachable
  Warning ErrInitIssuer 75m cert-manager Error initializing issuer: context deadline exceeded
  Warning ErrVerifyACMEAccount 75m (x2 over 75m) cert-manager Failed to verify ACME account: Get "https://acmeca.cumulus.wrs.com:8080/acme/acme/directory": dial tcp: lookup acmeca.cumulus.wrs.com on [abcd:207::a]:53: server misbehaving
  Warning ErrInitIssuer 75m (x2 over 75m) cert-manager Error initializing issuer: Get "https://acmeca.cumulus.wrs.com:8080/acme/acme/directory": dial tcp: lookup acmeca.cumulus.wrs.com on [abcd:207::a]:53: server misbehaving
  Warning ErrVerifyACMEAccount 40m (x2 over 75m) cert-manager Failed to verify ACME account: context deadline exceeded
  Warning ErrVerifyACMEAccount 35s (x31 over 130m) cert-manager Failed to verify ACME account: Post "https://128.224.196.78:8080/acme/acme/new-account": dial tcp 128.224.196.78:8080: connect: network is unreachable
[sysadmin@controller-0 ~(keystone_admin)]$

Expected Behavior
------------------
The cm on ipv6 system should be connected with stepca issuer without any errors

Actual Behavior
----------------
cm on ipv6 system resolves stepca domainname to ipv4 instead of ipv6

Reproducibility
---------------
100%

System Configuration
--------------------

duplex system,wc_11_ipv6

Branch/Pull Time/Commit
-----------------------
2020-04-28

Last Pass
---------
NA

Timestamp/Logs
--------------
2020-05-01T14:08:30Z

Test Activity
-------------
Feature testing

Workaround
----------
NA

Revision history for this message
ayyappa (mantri425) wrote :
Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.4.0 / medium priority - issue related to recently submitted stx.4.0 cert-mgr feature

Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
tags: added: stx.4.0 stx.apps stx.security
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Sabeel Ansari (sansariwr)
Revision history for this message
Greg Waines (greg-waines) wrote :

I am thinking the ipv6 issue is with our step-ca setup.
I think it is returning a URL containing the IPv4 address

was just taking a quick look at our config and it looks a little suspicious
e.g.

 "crt": "/home/cumulus/.step/certs/intermediate_ca.crt",
 "key": "/home/cumulus/.step/secrets/intermediate_ca_key",
 "address": ":8080",
 "dnsNames": [
  "128.224.196.78"
 ],
 "logger": {
  "format": "text"
 },

I think the dnsNames should be “acmeca.cumulus.wrs.com” .

Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: Sabeel Ansari (sansariwr) → Greg Waines (greg-waines)
status: Triaged → In Progress
Revision history for this message
ayyappa (mantri425) wrote :

Figured that this issue is caused by the ipv6 routing between the lab and the stepca setup, hence marking it as invalid

Changed in starlingx:
status: In Progress → Invalid
Revision history for this message
Ghada Khalil (gkhalil) wrote :

LP is closed as invalid; removing the stx.retestneeded tag

tags: removed: stx.retestneeded
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.