Dell APEX Cloud Platform for Red Hat OpenShift: Failure to create disconnected HCP-managed clusters due to certificate verification errors
Summary: Create disconnected Hosted Control Plane (HCP) managed clusters failed due to error "failed to verify certificate: x509: certificate signed by unknown authority."
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
When following the admin guide to create a disconnected HCP-managed cluster, the process may fail. The UI console will display the error "failed to verify certificate: x509: certificate signed by unknown authority."
Cause
In a Dell APEX Cloud Platform for Red Hat OpenShift (ACP4OCP) cluster, two registries are required:
However, during the HCP-managed cluster setup, the ACP4OCP's hypershift component creates its own trustedCA based on the image.config.openshift.io resource's settings. It uses this to verify the OpenShift Container Platform (OCP) release image. If the additionalTrustedCA configuration includes two certificates and uses "|-" as the delimiter, hypershift does not add a line break after the first certificate. This causes both certificates to be considered invalid.
In YAML syntax, both "|-" and "|" are valid delimiters, which are used to represent multiline string values. When creating or modifying a "key/value" ConfigMap from the OCP web console, "|-" will be used as the default delimiter.
To check if the Configmap contains "|-" as the delimiter, run the following command on the ACP manager:
- An internal registry named depot-manager within the ACP4OCP Hub cluster for storing OCP and ACP manager images.
- An external registry to handle power outages.
However, during the HCP-managed cluster setup, the ACP4OCP's hypershift component creates its own trustedCA based on the image.config.openshift.io resource's settings. It uses this to verify the OpenShift Container Platform (OCP) release image. If the additionalTrustedCA configuration includes two certificates and uses "|-" as the delimiter, hypershift does not add a line break after the first certificate. This causes both certificates to be considered invalid.
In YAML syntax, both "|-" and "|" are valid delimiters, which are used to represent multiline string values. When creating or modifying a "key/value" ConfigMap from the OCP web console, "|-" will be used as the default delimiter.
To check if the Configmap contains "|-" as the delimiter, run the following command on the ACP manager:
-
oc get configmap -n openshift-config acp-ingress-ca -o yaml
Resolution
To change the delimiter between the certificate name and the certificate key from "|-" to "|", perform the following steps:
- Run "oc edit configmap -n openshift-config acp-ingress-ca" on the ACP manager, change "|-" to "|", and save the changes in the Configmap.
- Restart the hypershift component pods with command "oc delete pod -n hypershift --all".
- After hypershift pods are ready, retry the HCP-managed cluster setup.
Affected Products
APEX Cloud Platform for Red Hat OpenShiftArticle Properties
Article Number: 000226907
Article Type: Solution
Last Modified: 28 Aug 2024
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.