Skip to content

ipv6: openssl error during cert generation for etcd and control-plane #12341

New issue
New issue
Open
Open
ipv6: openssl error during cert generation for etcd and control-plane#12341
Labels
Flatcar Container Linuxkind/bugCategorizes issue or PR as related to a bug.
@spnngl

Description

@spnngl
spnngl
opened on Jun 24, 2025

What happened?

An error during this step TASK [etcd : Gen_certs | run cert generation script for etcd and kube control plane nodes on this command:

# openssl req -new -key member-cluster-sandbox-master-001-key.pem -out member-cluster-sandbox-master-001.csr -subj /CN=etcd-member-cluster-sandbox-master-001 -config openssl.conf -verbose

Using configuration from openssl.conf
    Error checking request extension section v3_req
    4087A2A39D7F0000:error:11000076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:../openssl-3.2.3/cry
pto/x509/v3_san.c:556:value=[2001:42d0:304:300::3852]
    4087A2A39D7F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../openssl-3
.2.3/crypto/x509/v3_conf.c:48:section=v3_req, name=subjectAltName, value=@alt_names

Issue was the IPv6 listed in openssl.conf, once removed it worked.
I have ipv6_stack: false and enable_dual_stack_networks: false

Using this:

# openssl --version
OpenSSL 3.2.3 3 Sep 2024 (Library: OpenSSL 3.2.3 3 Sep 2024)

# cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=4230.1.1
VERSION_ID=4230.1.1
BUILD_ID=2025-04-30-1146
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 4230.1.1 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:4230.1.1:*:*:*:*:*:*:*"

What did you expect to happen?

Cert generation without error

How can we reproduce it (as minimally and precisely as possible)?

Trying to generate IPv6 certs I think ?

OS

Flatcar Container Linux

Version of Ansible

ansible [core 2.18.6]
config file = None
configured module search path = ['/home/ldelannoy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.13/site-packages/ansible
ansible collection location = /home/ldelannoy/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/lib/python-exec/python3.13/ansible
python version = 3.13.3 (main, Jun 6 2025, 19:58:36) [GCC 14.3.0] (/usr/bin/python3.13)
jinja version = 3.1.6
libyaml = True

Version of Python

Python 3.13.3

Version of Kubespray (commit)

v2.28.0

Network plugin used

calico

Full inventory with variables

Command used to invoke ansible

ansible-playbook -i contrib/terraform/terraform.py -i inventory/common/hosts.yml -i inventory/cluster-sandbox/hosts.yml -e cluster_unique_identifier=cluster-sandbox -e ansible_ssh_private_key_file=/builds/infrastructure.tmp/SSH_PRIVATE_KEY -e '{"ansible_interpreter_python_fallback":["/opt/bin/pypy3/bin/python"]}' -e vlan_id=42 --limit= upgrade-cluster.yml --become --timeout=1200 --forks=5 -v --skip-tags=multus

Output of ansible run

fatal: [cluster-sandbox-master-001]: FAILED! => {"changed": true, "cmd": ["bash", "-x", "/opt/bin/etcd-scripts/make-ssl-etcd.sh", "-f", "/etc/ssl/etcd/openssl.conf", "-d", "/etc/ssl/etcd/ssl"], "delta": "0:00:00.103334", "end": "2025-06-18 15:59:25.049238", "msg": "non-zero return code", "rc": 1, "start": "2025-06-18 15:59:24.945904", "stderr": "+ set -o errexit\n+ set -o pipefail\n+ (( 4 ))\n+ case "$1" in\n+ CONFIG=/etc/ssl/etcd/openssl.conf\n+ shift 2\n+ (( 2 ))\n+ case "$1" in\n+ SSLDIR=/etc/ssl/etcd/ssl\n+ shift 2\n+ (( 0 ))\n+ '[' -z /etc/ssl/etcd/openssl.conf ']'\n+ '[' -z /etc/ssl/etcd/ssl ']'\n++ mktemp -d /tmp/etcd_cacert.XXXXXX\n+ tmpdir=/tmp/etcd_cacert.4YiDzO\n+ trap 'rm -rf "${tmpdir}"' EXIT\n+ cd /tmp/etcd_cacert.4YiDzO\n+ mkdir -p /etc/ssl/etcd/ssl\n+ '[' -e /etc/ssl/etcd/ssl/ca-key.pem ']'\n+ openssl genrsa -out ca-key.pem 2048\n+ openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj /CN=etcd-ca\n+ '[' -n 'cluster-sandbox-master-003 cluster-sandbox-master-002 cluster-sandbox-master-001' ']'\n+ for host in $MASTERS\n+ cn=cluster-sandbox-master-003\n+ openssl genrsa -out member-cluster-sandbox-master-003-key.pem 2048\n+ openssl req -new -key member-cluster-sandbox-master-003-key.pem -out member-cluster-sandbox-master-003.csr -subj /CN=etcd-member-cluster-sandbox-master-003 -config /etc/ssl/etcd/openssl.conf\n+ rm -rf /tmp/etcd_cacert.4YiDzO", "stderr_lines": ["+ set -o errexit", "+ set -o pipefail", "+ (( 4 ))", "+ case "$1" in", "+ CONFIG=/etc/ssl/etcd/openssl.conf", "+ shift 2", "+ (( 2 ))", "+ case "$1" in", "+ SSLDIR=/etc/ssl/etcd/ssl", "+ shift 2", "+ (( 0 ))", "+ '[' -z /etc/ssl/etcd/openssl.conf ']'", "+ '[' -z /etc/ssl/etcd/ssl ']'", "++ mktemp -d /tmp/etcd_cacert.XXXXXX", "+ tmpdir=/tmp/etcd_cacert.4YiDzO", "+ trap 'rm -rf "${tmpdir}"' EXIT", "+ cd /tmp/etcd_cacert.4YiDzO", "+ mkdir -p /etc/ssl/etcd/ssl", "+ '[' -e /etc/ssl/etcd/ssl/ca-key.pem ']'", "+ openssl genrsa -out ca-key.pem 2048", "+ openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj /CN=etcd-ca", "+ '[' -n 'cluster-sandbox-master-003 cluster-sandbox-master-002 cluster-sandbox-master-001' ']'", "+ for host in $MASTERS", "+ cn=cluster-sandbox-master-003", "+ openssl genrsa -out member-cluster-sandbox-master-003-key.pem 2048", "+ openssl req -new -key member-cluster-sandbox-master-003-key.pem -out member-cluster-sandbox-master-003.csr -subj /CN=etcd-member-cluster-sandbox-master-003 -config /etc/ssl/etcd/openssl.conf", "+ rm -rf /tmp/etcd_cacert.4YiDzO"], "stdout": "", "stdout_lines": []}

Anything else we need to know

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Flatcar Container Linuxkind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions