Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7579

[azure] failed to parse client certificate when using certificate-based Service Principal with passpharse

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Bug Fix
    • Done

      Description of problem:

      On 4.13, installer failed to parse client certificate when using certificate-based Service Principal with passpharse, error is as below:

      [fedora@preserve-jima 4.13.0-0.nightly-2023-02-13-235211]$ ./openshift-install create install-config --dir test             
      ? SSH Public Key /home/fedora/.ssh/openshift-qe.pub          
      ? Platform azure
      WARNING Using client certs to authenticate. Please be warned cluster does not support certs and only the installer does. 
      INFO Credentials loaded from file "/home/fedora/.azure/osServicePrincipal.json" 
      FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": failed to parse client certificate: pkcs12: decryption password incorrect 
      
      The content of osServicePrincipal.json:
      [fedora@preserve-jima 4.13.0-0.nightly-2023-02-13-235211]$ cat ~/.azure/osServicePrincipal.json 
      {"subscriptionId":"xxxxx-xxx-xxx-xxx-xxx","clientId":"xxxxx-xxx-xxx-xxx-xxx","tenantId":"xxxxx-xxx-xxx-xxx-xxx","clientCertificate":"/home/fedora/azure/client-certs/cert.pfx","clientCertificatePassword":"PASSWORD"}

      when creating PEM certificate and pfx file without passpharse, installer can parse certs correctly and continue the installation.

      Issue also does not reproduce on 4.12 by using certificate-based SP with/without passpharse.

       

      Version-Release number of selected component (if applicable):

      4.13.0-0.nightly-2023-02-13-235211

      How reproducible:

      Always on 4.13

      Steps to Reproduce:

      1. Generate certificates pem and pfx file with passpharse
      2. Add public cert in existing Service Principal on azure portal, and config ~/.azure/osServicePrincipal.json
      3. Trigger installation

      Actual results:

      installer failed to parse certificate

      Expected results:

      Installation is successful.

      Additional info:

      Issue only happens on 4.13, certificate-based SP with passpharse

       

       

       

       

       

            rdossant Rafael Fonseca dos Santos
            jinyunma Jinyun Ma
            Jinyun Ma Jinyun Ma
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: