Certificate generation failed with "Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name"

Solution In Progress - Updated -

Issue

  • The stack update has failed:
(undercloud) [stack@undercloud ~]$ openstack stack list
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
| ID                                   | Stack Name     | Project                          | Stack Status  | Creation Time        | Updated Time         |
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
| 2737aa9e-d079-4311-8337-2e04080bb7f0 | overcloud | 6f8b4c40601e4b4aad5a73e50bfd935d | UPDATE_FAILED | 2019-09-02T12:57:55Z | 2021-06-23T07:02:33Z |
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
  • The following failures are seen:
(undercloud) [stack@undercloud ~]$ openstack stack failures list rlvstle0cl2001
overcloud.AllNodesDeploySteps.ComputeHssNonHtDeployment_Step1.11:
  resource_type: OS::Heat::StructuredDeployment
  physical_resource_id: c9564fdd-065e-4867-9460-99aa7018a272
  status: CREATE_FAILED
  status_reason: |
    Error: resources[11]: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 2
  deploy_stdout: |
    ...
            "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Cron[tripleo-refresh-crl-file]: Skipping because of failed dependencies", 
            "Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/File[/etc/pki/libvirt-vnc/server-cert.pem]: Skipping because of failed dependencies", 
            "Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/File[/etc/pki/libvirt-vnc/server-key.pem]: Skipping because of failed dependencies"
        ]
    }
        to retry, use: --limit @/var/lib/heat-config/heat-config-ansible/559fd801-2da9-4e11-a151-2fa56bf214ba_playbook.retry

    PLAY RECAP *********************************************************************
    localhost                  : ok=25   changed=12   unreachable=0    failed=1   

    (truncated, view all with --long)
  deploy_stderr: |
  • One or more compute resource failed to deploy:
(undercloud) [stack@undercloud ~]$ openstack stack resource list -n 5 overcloud | egrep -i -v complete
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| resource_name                                         | physical_resource_id                                                                                                                                                                                                                          | resource_type                                                                                                                                                                                                 | resource_status | updated_time         | stack_name                                                                                                                                                                                                 |
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| AllNodesDeploySteps                                   | 2d31c0b6-6236-4da5-95fb-5d1749ba2a16                                                                                                                                                                                                          | OS::TripleO::PostDeploySteps                                                                                                                                                                                  | UPDATE_FAILED   | 2021-06-23T07:38:01Z | overcloud                                                                                                                                                                                             |
| ComputeHssNonHtDeployment_Step1                       | 791a93c5-dbda-4c2d-8a9d-8a53bfc3628b                                                                                                                                                                                                          | OS::TripleO::DeploymentSteps                                                                                                                                                                                  | UPDATE_FAILED   | 2021-06-23T07:39:43Z | overcloud-AllNodesDeploySteps-6r2xob336g4x                                                                                                                                                            |
| 11                                                    | c9564fdd-065e-4867-9460-99aa7018a272                                                                                                                                                                                                          | OS::Heat::StructuredDeployment                                                                                                                                                                                | CREATE_FAILED   | 2021-06-23T07:39:46Z | overcloud-AllNodesDeploySteps-6r2xob336g4x-ComputeHssNonHtDeployment_Step1-tgx26cj3rcpl                                                                                                               |
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  • On such computes, the following errors are seen in certmonger:
[root@overcloud-compute-0 ~]# systemctl status certmonger -l
● certmonger.service - Certificate monitoring and PKI enrollment
   Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-06-23 17:40:46 AEST; 1h 58min ago
 Main PID: 33709 (certmonger)
    Tasks: 1
   Memory: 1.7M
   CGroup: /system.slice/certmonger.service
           └─33709 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 1
Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 1
Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 2
Jun 23 17:40:48 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:48 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient privilege to create a certificate with subject alt name 'overcloud-compute-0.localdomain'.).
Jun 23 17:40:48 overcloud-compute-0 certmonger[33811]: Request for certificate to be stored in file "/etc/contrail/ssl/certs/server.pem" rejected by CA.
Jun 23 17:40:52 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:52 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:53 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:53 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:53 overcloud-compute-0 certmonger[34214]: Request for certificate to be stored in file "/etc/pki/libvirt/servercert.pem" rejected by CA.
Jun 23 17:40:54 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:54 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt-vnc/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:54 overcloud-compute-0 certmonger[34230]: Request for certificate to be stored in file "/etc/pki/libvirt-vnc/server-cert.pem" rejected by CA.

Environment

  • Red Hat OpenStack Platform 13.0 (RHSOP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content