Certificate generation failed with "Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name"

Solution In Progress - Updated -

Issue

  • The stack update has failed:
(undercloud) [stack@undercloud ~]$ openstack stack list
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
| ID                                   | Stack Name     | Project                          | Stack Status  | Creation Time        | Updated Time         |
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
| 2737aa9e-d079-4311-8337-2e04080bb7f0 | overcloud | 6f8b4c40601e4b4aad5a73e50bfd935d | UPDATE_FAILED | 2019-09-02T12:57:55Z | 2021-06-23T07:02:33Z |
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
  • The following failures are seen:
(undercloud) [stack@undercloud ~]$ openstack stack failures list rlvstle0cl2001
overcloud.AllNodesDeploySteps.ComputeHssNonHtDeployment_Step1.11:
  resource_type: OS::Heat::StructuredDeployment
  physical_resource_id: c9564fdd-065e-4867-9460-99aa7018a272
  status: CREATE_FAILED
  status_reason: |
    Error: resources[11]: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 2
  deploy_stdout: |
    ...
            "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Cron[tripleo-refresh-crl-file]: Skipping because of failed dependencies", 
            "Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/File[/etc/pki/libvirt-vnc/server-cert.pem]: Skipping because of failed dependencies", 
            "Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/File[/etc/pki/libvirt-vnc/server-key.pem]: Skipping because of failed dependencies"
        ]
    }
        to retry, use: --limit @/var/lib/heat-config/heat-config-ansible/559fd801-2da9-4e11-a151-2fa56bf214ba_playbook.retry

    PLAY RECAP *********************************************************************
    localhost                  : ok=25   changed=12   unreachable=0    failed=1   

    (truncated, view all with --long)
  deploy_stderr: |
  • One or more compute resource failed to deploy:
(undercloud) [stack@undercloud ~]$ openstack stack resource list -n 5 overcloud | egrep -i -v complete
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| resource_name                                         | physical_resource_id                                                                                                                                                                                                                          | resource_type                                                                                                                                                                                                 | resource_status | updated_time         | stack_name                                                                                                                                                                                                 |
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| AllNodesDeploySteps                                   | 2d31c0b6-6236-4da5-95fb-5d1749ba2a16                                                                                                                                                                                                          | OS::TripleO::PostDeploySteps                                                                                                                                                                                  | UPDATE_FAILED   | 2021-06-23T07:38:01Z | overcloud                                                                                                                                                                                             |
| ComputeHssNonHtDeployment_Step1                       | 791a93c5-dbda-4c2d-8a9d-8a53bfc3628b                                                                                                                                                                                                          | OS::TripleO::DeploymentSteps                                                                                                                                                                                  | UPDATE_FAILED   | 2021-06-23T07:39:43Z | overcloud-AllNodesDeploySteps-6r2xob336g4x                                                                                                                                                            |
| 11                                                    | c9564fdd-065e-4867-9460-99aa7018a272                                                                                                                                                                                                          | OS::Heat::StructuredDeployment                                                                                                                                                                                | CREATE_FAILED   | 2021-06-23T07:39:46Z | overcloud-AllNodesDeploySteps-6r2xob336g4x-ComputeHssNonHtDeployment_Step1-tgx26cj3rcpl                                                                                                               |
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  • On such computes, the following errors are seen in certmonger:
[root@overcloud-compute-0 ~]# systemctl status certmonger -l
● certmonger.service - Certificate monitoring and PKI enrollment
   Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-06-23 17:40:46 AEST; 1h 58min ago
 Main PID: 33709 (certmonger)
    Tasks: 1
   Memory: 1.7M
   CGroup: /system.slice/certmonger.service
           └─33709 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 1
Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 1
Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 2
Jun 23 17:40:48 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:48 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient privilege to create a certificate with subject alt name 'overcloud-compute-0.localdomain'.).
Jun 23 17:40:48 overcloud-compute-0 certmonger[33811]: Request for certificate to be stored in file "/etc/contrail/ssl/certs/server.pem" rejected by CA.
Jun 23 17:40:52 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:52 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:53 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:53 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:53 overcloud-compute-0 certmonger[34214]: Request for certificate to be stored in file "/etc/pki/libvirt/servercert.pem" rejected by CA.
Jun 23 17:40:54 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:54 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt-vnc/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:54 overcloud-compute-0 certmonger[34230]: Request for certificate to be stored in file "/etc/pki/libvirt-vnc/server-cert.pem" rejected by CA.

Environment

  • Red Hat OpenStack Platform 13.0 (RHSOP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In