Certificate Generation Fails Since Host CA Validity Is Less Than The Amount Of TTL With Which Certificate is Attempted To Be Generated In Vault
Problem
Facing issues with node converging to the cluster resulting in complete outage the nodes which are rebooted/stack restarted.
[2022-03-21 17:47:05] KeyError: 'data'[2022-03-21 17:47:05] Error loading file /tmp/authbs-certs.tTAf/flannel/etcd/ca.crt[2022-03-21 17:47:05] Certificate is not signed by CA[2022-03-21 17:47:05] Cert missed in this round: flannel/etcd[2022-03-21 17:47:05] Retrying again internallyx
/tmp/authbs-certs.NqWH/admin# cat request.json{"errors":["cannot satisfy request, as TTL would result in notAfter 2025-03-20T17:52:08.088914479Z that is beyond the expiration of the CA certificate at 2025-03-02T13:59:50Z"]}/tmp/authbs-certs.NqWH/admin# pwd/tmp/authbs-certs.NqWH/adminError seen while onboarding node:
2023-09-28T04:44:29.8181Z DEBUG Unable to prep node: Error: Unable to install hostagent. error while running installer script: HOST_CERTS_SCRIPT_FAILED/opt/pf9/hostagent/bin/host-certs.py\", line 113, in <module>\n sys.exit(main())\n File \"/opt/pf9/hostagent/bin/host-certs.py\", line 110, in main\n return args.func(args)\n File \"/opt/pf9/hostagent/bin/host-certs.py\", line 31, in _refresh\n cert, ca = vouch.sign_csr(csr, args.common_name)\n File \"/opt/pf9/hostagent/lib/python3.9/site-packages/bbslave/certs.py\", line 72, in sign_csr\n resp.raise_for_status()\n File \"/opt/pf9/hostagent/lib/python3.9/site-packages/requests/models.py\", line 1021, in raise_for_status\n raise HTTPError(http_error_msg, response=self)\nrequests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://DU-FQDN/vouch/v1/sign/cert\n"}Environment
- Platform9 Managed Kubernetes - v5.6 and Higher.
Solution
This is a know issue, and is resolved in the PMK version in v5.6.9, v5.7.3 and 5.9.1.
Additional Information
If the issue is observed in any of the unsupported PMK versions, please open a support ticket mentioning the related jira PMK-4582.
Was this page helpful?