I'm having a devil of a time here, and I can't figure out what the
problem might be - I'm doing a disconnected install of the 4.2 dev
preview (don't think that matters here....) and my master won't
retrieve the appended ignition config from the bootstrap
machine-config-server because (it says) the certificate is expired or
not yet valid.
The problem is that the certificate is valid. If I use openssl
s_client from the bootstrap node to connect to
api-int.openshift4poc.example.local:22623, I get a validly dated
certificate back (valid for ~10 years):
[core@localhost ~]$ openssl s_client -connect
api-int.openshift4poc.example.local:22623 | openssl x509 -noout -text
depth=0 CN = api-int.openshift4poc.example.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = api-int.openshift4poc.example.local
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4048994022129122464 (0x3830ea9c52afbca0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU = openshift, CN = root-ca
Validity
Not Before: Sep 30 22:46:23 2019 GMT
Not After : Sep 27 22:46:24 2029 GMT
Subject: CN = api-int.openshift4poc.example.local
I've tried blowing away the boostrap node, regenerating my ignition
configs in a new directory, and then rebuilding, but that seems to
have no effect (though since the cert validity dates change, I know
I'm doing that right).
I've tried for a couple hours to get a shell on the master to figure
out what it thinks the date is (should be correct) but that's next to
impossible. I can't boot the OS to emergency mode since the root
account is locked (as it should be, but cmon......). It's *so*
difficult to debug this.
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
