StarlingX

C Debian - Subcloud experienced a configuration failure: Cannot install ssl-ca certificate with same subject

Bug #1990007 reported by Reinildes Oliveira
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Reinildes Oliveira

Bug Description

Brief Description
-------------------------------------------

DC Debian - Subcloud experienced a configuration failure: Cannot install ssl-ca certificate with same subject

subcloud state:

[sysadmin@controller-0 ~(keystone_admin)]$ dcmanager subcloud list
+----+-----------+------------+--------------+---------------+---------+---------------+-----------------+
| id | name | management | availability | deploy status | sync | backup status | backup datetime |
+----+-----------+------------+--------------+---------------+---------+---------------+-----------------+
| 2 | subcloud4 | managed | online | complete | in-sync | None | None |
+----+-----------+------------+--------------+---------------+---------+---------------+-----------------+

system host-list
+----+--------------+-------------+----------------+-------------+--------------+
| id | hostname | personality | administrative | operational | availability |
+----+--------------+-------------+----------------+-------------+--------------+
| 1 | controller-0 | controller | unlocked | enabled | degraded |
+----+--------------+-------------+----------------+-------------+--------------+

ssl-ca error:

sysinv 2022-09-14 15:08:33.856 120500 ERROR sysinv.api.controllers.v1.certificate [-] Cannot install certificate with same subject
Please uninstall the following CA certs that have the same subject first
UUID : 4ae8e601-5290-4dec-a043-f73dea286051

certificate list:

[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list
+--------------------------------------+----------+---------------------------+-------------------------+
| uuid | certtype | expiry_date | subject |
+--------------------------------------+----------+---------------------------+-------------------------+
| 4ae8e601-5290-4dec-a043-f73dea286051 | ssl_ca | 2032-09-07T17:46:14+00:00 | O=Internet Widgits P... |
| c09539ba-3bc8-441e-8dbb-f5378e1cf18a | ssl_ca | 2032-09-10T21:44:43+00:00 | CN=starlingx |
+--------------------------------------+----------+---------------------------+-------------------------+

[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show 4ae8e601-5290-4dec-a043-f73dea286051
+-------------+-----------------------------------------------+
| Property | Value |
+-------------+-----------------------------------------------+
| uuid | 4ae8e601-5290-4dec-a043-f73dea286051 |
| certtype | ssl_ca |
| signature | ssl_ca_10076021394652733954 |
| start_date | 2021-06-21T17:46:14+00:00 |
| expiry_date | 2032-09-07T17:46:14+00:00 |
| subject | O=Internet Widgits Pty Ltd,ST=Some-State,C=AU |
+-------------+-----------------------------------------------+

Severity
-------------------------------------------

<Critical: System/Feature is not usable after the defect>

Steps to Reproduce
-------------------------------------------
Run remote subcloud install

Expected Behavior

Subcloud should be deployed/configured successfully

Actual Behavior

controller-0 of the subcloud experienced a configuration failure

Reproducibility
-----------------------------

100%

System Configuration

DC labs / subclouds

Load info (eg: 2022-03-10_20-00-07)

22.12_Debian_09-12-2022

Last Pass

22.12_Debian_09-08-2022

[sysadmin@controller-0 ~(keystone_admin)]$ system application-list
+--------------------------+---------+-------------------------------------------+------------------+----------+-----------+
| application | version | manifest name | manifest file | status | progress |
+--------------------------+---------+-------------------------------------------+------------------+----------+-----------+
| cert-manager | 1.0-1 | cert-manager-fluxcd-manifests | fluxcd-manifests | applied | completed |
| nginx-ingress-controller | 1.0-1 | nginx-ingress-controller-fluxcd-manifests | fluxcd-manifests | applied | completed |
| oidc-auth-apps | 1.0-1 | oidc-auth-apps-fluxcd-manifests | fluxcd-manifests | uploaded | completed |
| platform-integ-apps | 1.0-1 | platform-integ-apps-fluxcd-manifests | fluxcd-manifests | applied | completed |
+--------------------------+---------+-------------------------------------------+------------------+----------+-----------+
[sysadmin@controller-0 ~(keystone_admin)]$
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show 5c27fe91-980a-40f8-b094-c7a01345a5bd
+-------------+-----------------------------------------------+
| Property | Value |
+-------------+-----------------------------------------------+
| uuid | 5c27fe91-980a-40f8-b094-c7a01345a5bd |
| certtype | ssl_ca |
| signature | ssl_ca_10076021394652733954 |
| start_date | 2021-06-21T17:46:14+00:00 |
| expiry_date | 2032-09-07T17:46:14+00:00 |
| subject | O=Internet Widgits Pty Ltd,ST=Some-State,C=AU |
+-------------+-----------------------------------------------+
[sysadmin@controller-0 ~(keystone_admin)]$ system host-list
+----+--------------+-------------+----------------+-------------+--------------+
| id | hostname | personality | administrative | operational | availability |
+----+--------------+-------------+----------------+-------------+--------------+
| 1 | controller-0 | controller | unlocked | enabled | available |
+----+--------------+-------------+----------------+-------------+--------------+
[sysadmin@controller-0 ~(keystone_admin)]$ fm alarm-list
+----------+---------------------------------------------------------------------+--------------------+----------+--------------+
| Alarm ID | Reason Text | Entity ID | Severity | Time Stamp |
+----------+---------------------------------------------------------------------+--------------------+----------+--------------+
| 100.119 | controller-0 Precision Time Protocol (PTP) clocking is out of | host=controller-0. | major | 2022-09-14T1 |
| | tolerance by more than 1 second | instance= | | 6:56:19. |
| | | ptpinstance1.ptp= | | 986629 |
| | | out-of-tolerance | | |
| | | | | |
| 100.119 | controller-0 is not locked to remote PTP Grand Master | host=controller-0. | major | 2022-09-13T1 |
| | | instance= | | 3:53:19. |
| | | ptpinstance2.ptp= | | 832884 |
| | | no-lock | | |
| | | | | |
+----------+---------------------------------------------------------------------+--------------------+----------+--------------+

Timestamp/Logs
-------------------------------------------

sysinv 2022-09-14 15:08:33.849 120500 INFO sysinv.api.controllers.v1.certificate [-] certificate certificate_do_post_start_2022-09-14-15-08-33 mode=ssl_ca
sysinv 2022-09-14 15:08:33.855 120500 INFO sysinv.api.controllers.v1.certificate [-] certificate is not valid before 2021-06-21 17:46:14 nor after 2032-09-07 17:46:14
sysinv 2022-09-14 15:08:33.856 120500 ERROR sysinv.api.controllers.v1.certificate [-] Cannot install certificate with same subject
Please uninstall the following CA certs that have the same subject first
UUID : 4ae8e601-5290-4dec-a043-f73dea286051
sysinv 2022-09-14 15:08:34.861 120500 INFO sysinv.api.controllers.v1.certificate [-] certificate certificate_do_post_start_2022-09-14-15-08-34 mode=ssl_ca
sysinv 2022-09-14 15:08:34.869 120500 INFO sysinv.api.controllers.v1.certificate [-] certificate is not valid before 2021-06-21 17:46:14 nor after 2032-09-07 17:46:14
sysinv 2022-09-14 15:08:34.870 120500 ERROR sysinv.api.controllers.v1.certificate [-] Cannot install certificate with same subject
Please uninstall the following CA certs that have the same subject first

Alarms
-------------------------------------------

[sysadmin@controller-0 ~(keystone_admin)]$ fm alarm-list
+----------+---------------------------------------------------------------------+-------------------+----------+--------------+
| Alarm ID | Reason Text | Entity ID | Severity | Time Stamp |
+----------+---------------------------------------------------------------------+-------------------+----------+--------------+
| 200.011 | controller-0 experienced a configuration failure. | host=controller-0 | critical | 2022-09-13T2 |
| | | | | 2:17:04. |
| | | | | 522578 |
| | | | | |
+----------+---------------------------------------------------------------------+-------------------+----------+--------------+

Test Activity
-------------------------------------------

Feature Testing - subcloud deploy

See original description
Reinildes Oliveira (rjosemat)
Changed in starlingx:
assignee: nobody → Reinildes Oliveira (rjosemat)
description: updated
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: New → In Progress
Reinildes Oliveira (rjosemat)
description: updated
Ghada Khalil (gkhalil)
tags: added: stx.8.0 stx.distcloud stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/858149
Committed: https://opendev.org/starlingx/config/commit/397e708a42280f6f8c001981320b99e112a9ce37
Submitter: "Zuul (22348)"
Branch: master

commit 397e708a42280f6f8c001981320b99e112a9ce37
Author: Rei Oliveira <email address hidden>
Date: Fri Sep 16 11:54:02 2022 -0300

    Fix certificate ssl_ca cert install by dc-orch sync

    This commit fixes an issue where trying to install the same certificate
    again results in a 'Cannot install certificate with same subject'. That
    is incorrect and should be thrown only for a different certificate with
    the same subject.

    Test Plan:

    PASS: Manage a subcloud and verify that it's able to synchronize certs
          without the 'Cannot install certificate with same subject' error
    PASS: Try to install the same certificate multiple times and verify
          that no 'Cannot install certificate with same subject' error
          is returned
    PASS: Try to install two different certificates with same subjects and
          verify that a 'Cannot install certificate with same subject' error
          is returned

    Closes-Bug: 1990007

    Signed-off-by: Rei Oliveira <email address hidden>
    Change-Id: I17861145f20b8e1ef61896c3271a96a28fe9ded2

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/858207
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/71951ef4063226d9c1db702238bfc4fc0ed581f7
Submitter: "Zuul (22348)"
Branch: master

commit 71951ef4063226d9c1db702238bfc4fc0ed581f7
Author: Rei Oliveira <email address hidden>
Date: Fri Sep 16 14:58:08 2022 -0300

    Fix certificate ssl_ca cert install by dc-orch sync

    This commit fixes an issue where the subcloud's kubernetes root CA
    is installed as a ssl_ca in the subcloud. This is not needed and will
    result in an 'Cannot install certificate with same subject' error when
    dc-orch tries to synchronize it's kubernetes root CA as a ssl_ca
    certificate to the subcloud.

    Test Plan:

    PASS: Run dcmanager subcloud add and verify that no ssl_ca certificates
          with subject 'CN=starlingx' exists in 'system certificate-list'
    PASS: Bootstrap a standalone system and verify that a ssl_ca certificate
          with subject 'CN=starlingx' exists in 'system certificate-list'
    PASS: Manage a subcloud and verify that it's able to synchronize certs
          without the 'Cannot install certificate with same subject' error

    Partial-Bug: 1990007

    Signed-off-by: Rei Oliveira <email address hidden>
    Change-Id: Ia685a9a7db609de5d41e83ec4268d837da9d5010

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.