Masters and Workers Fail to Ignite Reporting Error 'x509: certificate has expired or not yet valid'

Solution Unverified - Updated 14 Jun 2024

Environment

RedHat OpenShift Container Platform 4.x

Issue

After creating new ignition files, masters and workers fail to ignite. The masters and workers loop with errors like:

ignition[764]: GET error: get https://api-int.cluster.fqdn:22623/config/worker: x509: certificate has expired or not yet valid

Resolution

Verify the system clock of the system that generated the ignition files as well as the nodes being ignited are in sync.

Root Cause

The system clock of the system being ignited is set to a time before the 'Not Before' time in the certificate being presented by the bootstrap node.

Diagnostic Steps

Verify the system clock and/or time zone on the failing nodes. The validity times in the certificates are relative to GMT.
Verify the validity of the certificate being presented by the bootstrap node.

openssl s_client -connect api-int.cluster.fqdn:22623 | openssl x509 -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: xxxxxxxxxxxxxxxxxxxxx (0xXXXXXXXXXXXXX)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: OU = openshift, CN = root-ca
        Validity
            Not Before: Aug  6 03:33:42 2019 GMT
            Not After : Aug  3 03:33:43 2029 GMT
        Subject: CN = api-int.cluster.fqdn
        Subject Public Key Info:
            .........................................

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Install

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.