Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.17
Component/s: OpenShift Update Service / operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
Yes

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

The container graph-builder reports unable to get issuer certificate for URL configured under UpdateService.spec.releases CR. Some found messages:


ERROR graph_builder::graph] http transport error: error sending request for url (https://<url>/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate)
ERROR graph_builder::graph] error sending request for url (https://<url>/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate)

The appropriate configmap is already configured under Image.config.spec.additionalTrustedCA CR with the required key 'updateservice-registry'. The test has been done in a debug pod and the pod is able to reach the URL normally by openssl s_client and curl command without any certificate issues.

The problem appears to be any issue in the application side to establish or consume the certificate correctly in the application side. The configmap is mounted as the following example config:

$ oc get pod -n openshift-update-service <pod-name> -o yaml | grep -B1 "trusted-ca"
    - mountPath: /etc/pki/ca-trust/extracted/pem
      name: trusted-ca <----
--
        path: tls-ca-bundle.pem
      name: <configmap-name>
    name: trusted-ca <----

$ oc debug pod/<pod-name> -c graph-builder -n openshift-update-service 
sh-4.4$ ls /etc/pki/ca-trust/extracted/pem/ 
tls-ca-bundle.pem 
sh-4.4$ cat /etc/pki/ca-trust/extracted/pem/* 
-----BEGIN CERTIFICATE----- <-----

Version-Release number of selected component (if applicable):

    Operator under version 5.0.3 and OCP cluster 4.17.23

How reproducible:

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

Expected results:

Additional info:

is related to

OCPBUGS-18280 osus does not respect the trustedca in proxy/cluster resource when http/https is not set

POST

Assignee:: Unassigned

Reporter:: Bruno Gomes

Need Info From:: W. Trevor King

Contributors:: None

QA Contact:: Jia Liu

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2025/04/29 1:02 PM

Updated:: 2025/09/24 8:34 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates