Certificate generation failed with "Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name"
Issue
- The stack update has failed:
(undercloud) [stack@undercloud ~]$ openstack stack list
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
| ID | Stack Name | Project | Stack Status | Creation Time | Updated Time |
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
| 2737aa9e-d079-4311-8337-2e04080bb7f0 | overcloud | 6f8b4c40601e4b4aad5a73e50bfd935d | UPDATE_FAILED | 2019-09-02T12:57:55Z | 2021-06-23T07:02:33Z |
+--------------------------------------+----------------+----------------------------------+---------------+----------------------+----------------------+
- The following failures are seen:
(undercloud) [stack@undercloud ~]$ openstack stack failures list rlvstle0cl2001
overcloud.AllNodesDeploySteps.ComputeHssNonHtDeployment_Step1.11:
resource_type: OS::Heat::StructuredDeployment
physical_resource_id: c9564fdd-065e-4867-9460-99aa7018a272
status: CREATE_FAILED
status_reason: |
Error: resources[11]: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 2
deploy_stdout: |
...
"Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Cron[tripleo-refresh-crl-file]: Skipping because of failed dependencies",
"Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/File[/etc/pki/libvirt-vnc/server-cert.pem]: Skipping because of failed dependencies",
"Warning: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/File[/etc/pki/libvirt-vnc/server-key.pem]: Skipping because of failed dependencies"
]
}
to retry, use: --limit @/var/lib/heat-config/heat-config-ansible/559fd801-2da9-4e11-a151-2fa56bf214ba_playbook.retry
PLAY RECAP *********************************************************************
localhost : ok=25 changed=12 unreachable=0 failed=1
(truncated, view all with --long)
deploy_stderr: |
- One or more compute resource failed to deploy:
(undercloud) [stack@undercloud ~]$ openstack stack resource list -n 5 overcloud | egrep -i -v complete
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| resource_name | physical_resource_id | resource_type | resource_status | updated_time | stack_name |
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| AllNodesDeploySteps | 2d31c0b6-6236-4da5-95fb-5d1749ba2a16 | OS::TripleO::PostDeploySteps | UPDATE_FAILED | 2021-06-23T07:38:01Z | overcloud |
| ComputeHssNonHtDeployment_Step1 | 791a93c5-dbda-4c2d-8a9d-8a53bfc3628b | OS::TripleO::DeploymentSteps | UPDATE_FAILED | 2021-06-23T07:39:43Z | overcloud-AllNodesDeploySteps-6r2xob336g4x |
| 11 | c9564fdd-065e-4867-9460-99aa7018a272 | OS::Heat::StructuredDeployment | CREATE_FAILED | 2021-06-23T07:39:46Z | overcloud-AllNodesDeploySteps-6r2xob336g4x-ComputeHssNonHtDeployment_Step1-tgx26cj3rcpl |
+-------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- On such computes, the following errors are seen in
certmonger
:
[root@overcloud-compute-0 ~]# systemctl status certmonger -l
â— certmonger.service - Certificate monitoring and PKI enrollment
Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2021-06-23 17:40:46 AEST; 1h 58min ago
Main PID: 33709 (certmonger)
Tasks: 1
Memory: 1.7M
CGroup: /system.slice/certmonger.service
└─33709 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 1
Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 1
Jun 23 17:40:46 overcloud-compute-0 ipa-submit[33712]: GSSAPI client step 2
Jun 23 17:40:48 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:48 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient privilege to create a certificate with subject alt name 'overcloud-compute-0.localdomain'.).
Jun 23 17:40:48 overcloud-compute-0 certmonger[33811]: Request for certificate to be stored in file "/etc/contrail/ssl/certs/server.pem" rejected by CA.
Jun 23 17:40:52 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:52 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:53 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:53 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:53 overcloud-compute-0 certmonger[34214]: Request for certificate to be stored in file "/etc/pki/libvirt/servercert.pem" rejected by CA.
Jun 23 17:40:54 overcloud-compute-0 certmonger[33709]: 2021-06-23 03:40:54 [33709] Server at https://ipa_host.localdomain/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=libvirt-vnc/overcloud-compute-0.internalapi.localdomain@ADMIN.LOCALDOMAIN,cn=services,cn=accounts,dc=localdomain'.).
Jun 23 17:40:54 overcloud-compute-0 certmonger[34230]: Request for certificate to be stored in file "/etc/pki/libvirt-vnc/server-cert.pem" rejected by CA.
Environment
- Red Hat OpenStack Platform 13.0 (RHSOP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.