Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1686942 - [3.7] asb pod in crashloopbackoff because of tls: bad certificate [NEEDINFO]
Summary: [3.7] asb pod in crashloopbackoff because of tls: bad certificate
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.7.0
Assignee: Shawn Hurley
QA Contact: Zhang Cheng
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-08 17:20 UTC by Asmita
Modified: 2019-03-21 10:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-03-14 14:00:37 UTC
Target Upstream Version:
agawand: needinfo? (shurley)

Attachments (Terms of Use)

Description Asmita 2019-03-08 17:20:02 UTC
Description of problem:

Asb pod in crashloopbackoff because of below error.

Using config file mounted to /etc/ansible-service-broker/config.yaml
==           Starting Ansible Service Broker...           ==
[2019-03-07T16:09:19.666Z] [NOTICE] Initializing clients...
[2019-03-07T16:09:19.666Z] [INFO] == ETCD CX ==
[2019-03-07T16:09:19.666Z] [INFO] EtcdHost: asb-etcd.openshift-ansible-service-broker.svc
[2019-03-07T16:09:19.666Z] [INFO] EtcdPort: 2379
[2019-03-07T16:09:19.666Z] [INFO] Endpoints: [https://asb-etcd.openshift-ansible-service-broker.svc:2379 ]
[2019-03-07T16:09:19.687Z] [ERROR] client: etcd cluster is unavailable or misconfigured; error #0: remote error: tls: bad certificate

Signer of asb-etcd and asb pod certificate are the same.

Additional info:

Comment 1 Shawn Hurley 2019-03-14 14:00:37 UTC
These certs are generated during install time to secure the communication between asb and its etcd. Please use the ansible playbook to re-install the broker. 

The ASB and ETCD have a generated CA cert that is used by the etcd pod to verify that the ASB (using certs signed by that CA) is valid to connect to etcd. This is usually housed in asb-etcd.

This is the task that does this generation for a 3.9 cluster.

Comment 4 Shawn Hurley 2019-03-20 15:56:40 UTC

It appears from the customer case that the user is back up and running and having issues clearing some finalizers. I am unsure of what more info you need. 

is this users cluster a 3.9 cluster or a 3.7 cluster? 



Note You need to log in before you can comment on or make changes to this bug.