Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-3021

Quay OMR default installation should provide CA Cert required by OCP Installer

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • omr-v1.0.0
    • omr-v1.0.0
    • OMR
    • False
    • False

      Description:

      This is an issue found when use OMR to deploy OCP in disconnected ENV, now after deploy OMR 1.0 with all default settings("./openshift-mirror-registry install -v --targetHostname quayomr10.qe.devcluster.openshift.com --targetUsername ec2-user -k ./sshkey --quayHostname quayomr10.qe.devcluster.openshift.com --initPassword password "), OMR will generate TLS cert without CA Cert, but that's required by OCP Installation.  That means if OMR Customers use the default OMR deployment, they can't install OCP with OMR.

      Build:  mirror-registry-container-v1.0-3

      https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1834022

      OCP Docs: https://docs.openshift.com/container-platform/4.9/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.html#installation-launching-installer_installing-restricted-networks-aws-installer-provisioned 

      additionalTrustBundle: | 
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----

      OMR default TLS Cert:

      openssl s_client -showcerts -connect quayomr10.qe.devcluster.openshift.com:8443
CONNECTED(00000005)
depth=0 C = US, ST = VA, L = New York, O = Quay, OU = Division, CN = quayomr10.qe.devcluster.openshift.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = VA, L = New York, O = Quay, OU = Division, CN = quayomr10.qe.devcluster.openshift.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=VA/L=New York/O=Quay/OU=Division/CN=quayomr10.qe.devcluster.openshift.com
   i:/C=US/ST=VA/L=New York/O=Quay/OU=Division/CN=quayomr10.qe.devcluster.openshift.com
-----BEGIN CERTIFICATE-----
MIIF4jCCA8qgAwIBAgIUNJjK3fXxdqHSEAkNwFKDOqCnPp4wDQYJKoZIhvcNAQEL
BQAwfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhOZXcgWW9y
azENMAsGA1UECgwEUXVheTERMA8GA1UECwwIRGl2aXNpb24xLjAsBgNVBAMMJXF1
YXlvbXIxMC5xZS5kZXZjbHVzdGVyLm9wZW5zaGlmdC5jb20wHhcNMjIwMTA1MDQw
MzE3WhcNMjMwMTA1MDQwMzE3WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCVkEx
ETAPBgNVBAcMCE5ldyBZb3JrMQ0wCwYDVQQKDARRdWF5MREwDwYDVQQLDAhEaXZp
c2lvbjEuMCwGA1UEAwwlcXVheW9tcjEwLnFlLmRldmNsdXN0ZXIub3BlbnNoaWZ0
LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ2teINuus9RfZq3
vYmICofHiGMxOM/D6d+0Qrifm4ZIK74kOPuUGpmNK4maHUqMaXvFdTsaiilHhDNT
ihXwxJTs6/JALdeZ045M8YzJ/VaDq4BqL0EGTTcOuDAmT2qTEl92Cq01MqWOYO1P
RcNLHicdchDqk0dGTf6e5GlCzIQw1glPklLLAtZxDIACrujdDuu8Sr1udCIS6xt2
n2k69+6b+PjDkaAM9/Nl5UZYymS674ITAcuY7JyREjnMOa7VqjaFvKOQdnKTeGC5
6267feVNWqLZ0rfvq6+7Pgbj+Tvtz9vNrIY9MCBNK0WLFlxvEwmWGZCpJp7/BQpS
mT4Tz2/PbkmDJUuMzJAR/1QZcr8QNy16crCj7vUAbWKu1O8x/vZsjzmRzfh/rN5S
cMszvLdCBXVC7tr4BLByWO8PagjgGrDsZK8xYbsoPKVPKMwnh8x9WFAUaaUxwOzi
j3lTDPn18fJhoJSTwcbUsvD6bIY+WpBWdYYKbjlT1jCimL3oHvPg8SCpFV6J1/ux
zgb+7VlyXpt0vw7xAFCU/pLoOYsqK+w9l71Gdo6mYCXi3ecezmhxiYdj05W7ZQTS
9cF5UV8nXaoWBl7UbJEpBD+VP/cojMIgvHArx7RCaoe6Af2ETPyw7DDmz+PE7I8E
oci4liAFLkBbA0/ONvODdE8r4Tt5AgMBAAGjVjBUMAsGA1UdDwQEAwIF4DATBgNV
HSUEDDAKBggrBgEFBQcDATAwBgNVHREEKTAngiVxdWF5b21yMTAucWUuZGV2Y2x1
c3Rlci5vcGVuc2hpZnQuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQAvHJcRcD/QFk1f
dc0gT3J0LSlEwarzPw1X0MrcQd1w1g0uNV9eEjGv5/0b7yBQV+/DCifCX+u7jnZu
Xpypt2H7BAr20xx6wtjfQ60aVmp2cvTtWZIGzQ4sO9D/GIge5CXViqgttBsb7bp8
WHkfYxRkBdz87cCgPIAnE01MvnQ+7LYNRJQ9DZzK4kmB+ShkXn9CrtvCRYLmFjXp
s6R0trZIx/u6ZjjlY3Tdi0kFWRKcZdAvubEnN2jDPY4AMI9KwTKlfoDaTqIo6Xg1
liKtuyAh5Hm31lUzgwpuKULua38qdjlfZGJoWkWNWfzEGgZt5+hCN7P2h1XfpPyO
+N3gdBQLtOAo0jjvKBZGZasIvjqysbBba9Sct1FB5ViwHpl1e8uXhWn/68EZt99n
ozXqJ22kuWJWYRbbTsAGleDaMswRa5TQxf8PB0Cti92Audev2QjUGRyO8OReUBA7
1y07vXQZZ4FCCrEkHhQrlrt+Mm/5+yNmsE0S/4tGkgZMualRow9B4G1ZWWZBeCt3
Snpn0pjqOxJjviwChT8ePDJ8QWUhJmc7q+/yqbluTYLxpwxEeG63DGMR+0riegfV
YJ/Y9Mfx8d+Nc5OgU57BKghvAMrr3AAG5NCsflpG98VcwVQBLw1wMglkqxdiIyx/
ssqwCBEo5LRry3AGZXA2/CQZSFWw/g==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=VA/L=New York/O=Quay/OU=Division/CN=quayomr10.qe.devcluster.openshift.com
issuer=/C=US/ST=VA/L=New York/O=Quay/OU=Division/CN=quayomr10.qe.devcluster.openshift.com
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2403 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 8966FA9BD309CAF95D39CE6CD3FDB51783265B651863B90C8CE0D0F06EDC6F9F
    Session-ID-ctx:
    Master-Key: EA213191F88633E1552DBE6AFC8810C3B04EF58BDD0CD6E17CE7C79F942D85D36F3584699123BC9FFC03873CDCA225D1
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - cb 33 a5 f4 02 b0 cd 09-29 7f 9c aa c6 0e d9 e5   .3......).......
    0010 - a9 af 03 cf 5f 72 f9 43-6b cb fb 21 70 ec 3c fa   ...._r.Ck..!p.<.
    0020 - e5 8f 24 b3 a4 f9 98 7e-08 75 11 03 ca bd c0 5e   ..$....~.u.....^
    0030 - 60 12 12 ab 6a 04 ad a9-12 77 ce 61 51 19 f4 77   `...j....w.aQ..w
    0040 - e8 5e 27 71 9b cc 97 92-d0 9d 09 fd 89 3c 76 cf   .^'q.........<v.
    0050 - 61 07 86 48 31 98 0c ed-9d 52 39 b4 9d 4a 5d 56   a..H1....R9..J]V
    0060 - 74 31 f6 d1 82 09 d8 9d-47 65 52 7a d7 3d 4d ff   t1......GeRz.=M.
    0070 - 97 33 08 15 a1 d9 0e 60-2f af 55 c5 02 01 23 d4   .3.....`/.U...#.
    0080 - 22 b0 7a 0b c2 a1 9b 63-78 c4 64 b5 2b 27 9b 86   ".z....cx.d.+'..
    0090 - 92 40 ef 90 00 c0 28 98-cb 99 fc 4f 43 4f 7d 44   .@....(....OCO}D
    00a0 - 38 ef de 68 cf e6 f7 31-c2 3a 7c 1a e3 10 85 02   8..h...1.:|.....    Start Time: 1641448131
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
closed

      OCP installation was failed caused by can't trust the OMR endpoints:

      Jan 06 07:30:41 ip-10-0-5-173 bootkube.sh[220939]: Error: unable to pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6ac56740ab9d9685e2630c017f14237a53b3e1f8903e9c077f48a78d6c7c134b: unable to pull image: Error initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6ac56740ab9d9685e2630c017f14237a53b3e1f8903e9c077f48a78d6c7c134b: (Mirrors also failed: [quayomr10.qe.devcluster.openshift.com:8443/ocp46/ocp4652@sha256:6ac56740ab9d9685e2630c017f14237a53b3e1f8903e9c077f48a78d6c7c134b: error pinging docker registry quayomr10.qe.devcluster.openshift.com:8443: Get "https://quayomr10.qe.devcluster.openshift.com:8443/v2/": x509: certificate signed by unknown authority]): quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6ac56740ab9d9685e2630c017f14237a53b3e1f8903e9c077f48a78d6c7c134b: Error reading manifest sha256:6ac56740ab9d9685e2630c017f14237a53b3e1f8903e9c077f48a78d6c7c134b in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized

              doconnor@redhat.com Dave O'Connor
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: