Unable to login to the OpenShift Cluster using CLI and console in RHOCP 4
Environment
Red Hat OpenShift Container Platform (RHOCP) 4
Issue
- Can not login to the cluster using the
oc logincommand. - Console screen not passing over the login prompt.
Resolution
Restart the pods in openshift-apiserver namespace:
$ oc delete pods -n openshift-apiserver --all
Root Cause
- Login may fail if the
openshift-apiserverpods do not update to the new revision after certificate renewal. - The new certificate will be referenced when the pod is restarted.
Diagnostic Steps
- Check the verbose logs while trying to login into the cluster.
$ oc login -u <username> -p <password> --loglevel=9
- Check if the below error is noticed:
I0410 13:37:43.626902 3923125 request.go:1154] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"configmaps \"motd\" is forbidden: User \"system:anonymous\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"openshift\"","reason":"Forbidden","details":{"name":"motd","kind":"configmaps"},"code":403}
Login failed (401 Unauthorized)
- Check if the errors are noticed in the pods from
openshift-oauth-apiservernamespace:
2024-08-04T15:36:01.709463902Z E0804 15:36:01.709380 1 authentication.go:73] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2024-08-04T15:36:01Z is after 2024-07-24T05:56:51Z, verifying certificate SN=99051677048728002381290587112330218126, SKID=, AKID=92:33:E8:29:78:9F:FC:25:ED:67:5A:8D:76:CE:E5:88:C1:08:EF:EB failed: x509: certificate has expired or is not yet valid: current time 2024-08-04T15:36:01Z is after 2024-07-24T05:56:51Z]"
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments