C Debian - Subcloud experienced a configuration failure: Cannot install ssl-ca certificate with same subject
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Reinildes Oliveira |
Bug Description
Brief Description
-------
DC Debian - Subcloud experienced a configuration failure: Cannot install ssl-ca certificate with same subject
subcloud state:
[sysadmin@
+----+-
| id | name | management | availability | deploy status | sync | backup status | backup datetime |
+----+-
| 2 | subcloud4 | managed | online | complete | in-sync | None | None |
+----+-
system host-list
+----+-
| id | hostname | personality | administrative | operational | availability |
+----+-
| 1 | controller-0 | controller | unlocked | enabled | degraded |
+----+-
ssl-ca error:
sysinv 2022-09-14 15:08:33.856 120500 ERROR sysinv.
Please uninstall the following CA certs that have the same subject first
UUID : 4ae8e601-
certificate list:
[sysadmin@
+------
| uuid | certtype | expiry_date | subject |
+------
| 4ae8e601-
| c09539ba-
+------
[sysadmin@
+------
| Property | Value |
+------
| uuid | 4ae8e601-
| certtype | ssl_ca |
| signature | ssl_ca_
| start_date | 2021-06-
| expiry_date | 2032-09-
| subject | O=Internet Widgits Pty Ltd,ST=
+------
Severity
-------
<Critical: System/Feature is not usable after the defect>
Steps to Reproduce
-------
Run remote subcloud install
Expected Behavior
Subcloud should be deployed/configured successfully
Actual Behavior
controller-0 of the subcloud experienced a configuration failure
Reproducibility
-------
100%
System Configuration
DC labs / subclouds
Load info (eg: 2022-03-
22.12_Debian_
Last Pass
22.12_Debian_
[sysadmin@
+------
| application | version | manifest name | manifest file | status | progress |
+------
| cert-manager | 1.0-1 | cert-manager-
| nginx-ingress-
| oidc-auth-apps | 1.0-1 | oidc-auth-
| platform-integ-apps | 1.0-1 | platform-
+------
[sysadmin@
[sysadmin@
+------
| Property | Value |
+------
| uuid | 5c27fe91-
| certtype | ssl_ca |
| signature | ssl_ca_
| start_date | 2021-06-
| expiry_date | 2032-09-
| subject | O=Internet Widgits Pty Ltd,ST=
+------
[sysadmin@
+----+-
| id | hostname | personality | administrative | operational | availability |
+----+-
| 1 | controller-0 | controller | unlocked | enabled | available |
+----+-
[sysadmin@
+------
| Alarm ID | Reason Text | Entity ID | Severity | Time Stamp |
+------
| 100.119 | controller-0 Precision Time Protocol (PTP) clocking is out of | host=controller-0. | major | 2022-09-14T1 |
| | tolerance by more than 1 second | instance= | | 6:56:19. |
| | | ptpinstance1.ptp= | | 986629 |
| | | out-of-tolerance | | |
| | | | | |
| 100.119 | controller-0 is not locked to remote PTP Grand Master | host=controller-0. | major | 2022-09-13T1 |
| | | instance= | | 3:53:19. |
| | | ptpinstance2.ptp= | | 832884 |
| | | no-lock | | |
| | | | | |
+------
Timestamp/Logs
-------
sysinv 2022-09-14 15:08:33.849 120500 INFO sysinv.
sysinv 2022-09-14 15:08:33.855 120500 INFO sysinv.
sysinv 2022-09-14 15:08:33.856 120500 ERROR sysinv.
Please uninstall the following CA certs that have the same subject first
UUID : 4ae8e601-
sysinv 2022-09-14 15:08:34.861 120500 INFO sysinv.
sysinv 2022-09-14 15:08:34.869 120500 INFO sysinv.
sysinv 2022-09-14 15:08:34.870 120500 ERROR sysinv.
Please uninstall the following CA certs that have the same subject first
Alarms
-------
[sysadmin@
+------
| Alarm ID | Reason Text | Entity ID | Severity | Time Stamp |
+------
| 200.011 | controller-0 experienced a configuration failure. | host=controller-0 | critical | 2022-09-13T2 |
| | | | | 2:17:04. |
| | | | | 522578 |
| | | | | |
+------
Test Activity
-------
Feature Testing - subcloud deploy
Changed in starlingx: | |
assignee: | nobody → Reinildes Oliveira (rjosemat) |
description: | updated |
Changed in starlingx: | |
status: | New → In Progress |
description: | updated |
tags: | added: stx.8.0 stx.distcloud stx.security |
Changed in starlingx: | |
importance: | Undecided → Medium |
Reviewed: https:/ /review. opendev. org/c/starlingx /config/ +/858149 /opendev. org/starlingx/ config/ commit/ 397e708a42280f6 f8c001981320b99 e112a9ce37
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 397e708a42280f6 f8c001981320b99 e112a9ce37
Author: Rei Oliveira <email address hidden>
Date: Fri Sep 16 11:54:02 2022 -0300
Fix certificate ssl_ca cert install by dc-orch sync
This commit fixes an issue where trying to install the same certificate
again results in a 'Cannot install certificate with same subject'. That
is incorrect and should be thrown only for a different certificate with
the same subject.
Test Plan:
PASS: Manage a subcloud and verify that it's able to synchronize certs
without the 'Cannot install certificate with same subject' error
PASS: Try to install the same certificate multiple times and verify
that no 'Cannot install certificate with same subject' error
is returned
PASS: Try to install two different certificates with same subjects and
verify that a 'Cannot install certificate with same subject' error
is returned
Closes-Bug: 1990007
Signed-off-by: Rei Oliveira <email address hidden> 1ef61896c3271a9 6a28fe9ded2
Change-Id: I17861145f20b8e