Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-12907

InvalidProviderInvalidCertsUpgradeable: Server certificates without SAN detected: {provider="LDAP"}.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.10
    • oauth-apiserver
    • None
    • Moderate
    • No
    • Auth - Sprint 236, Auth - Sprint 237
    • 2
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Initially OCP 4.9 cluster was configured with LDAP IDP. LDAP Server had a certificate without Subjectalternatename (SAN)  which caused login issues after upgrading to Openshift 4.10. 

It was resolved by correcting the certificate at LDAP server side to have hostname as SAN as mentioned in kcs https://access.redhat.com/solutions/6786941. 

But still authentication CO status complains: "message: Cluster operator authentication should not be upgraded between minor versions: InvalidProviderInvalidCertsUpgradeable: Server certificates without SAN detected: {provider="LDAP"}. These have to be replaced to include the respective hosts in their SAN extension and not rely on the Subject's CN for the purpose of hostname verification". 

Login works correctly, but trigerring this false alert ,  should get removed from the spec.status field of the authentication CO.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Reproducible

      Steps to Reproduce:

      1. Configure LDAP(certificates without having SAN) as an IDP on a cluster of version 4.9
2. Upgrade the cluster to 4.10 and then correct the certificate at LDAP server side to have hostname as SAN.
3. Check the status of authentication CO.
 $ oc get co authentication -o json | jq '.status.conditions'

      Actual results:

      - lastTransitionTime: "2023-03-01T08:15:44Z"
    message: 'AuthenticatorCertKeyProgressing: All is well'
    reason: AsExpected
    status: "False"
    type: Progressing
  - lastTransitionTime: "2023-03-02T01:01:24Z"
    message: All is well
    reason: AsExpected
    status: "True"
    type: Available
  - lastTransitionTime: "2022-12-22T09:03:06Z"
    message: 'InvalidProviderInvalidCertsUpgradeable: Server certificates without
      SAN detected: {provider="LDAP"}. These have to be replaced to include the respective
      hosts in their SAN extension and not rely on the Subject''s CN for the purpose
      of hostname verification.'
    reason: InvalidProviderInvalidCerts_InvalidCertsDetected
    status: "False"
    type: Upgradeable
  extension: null

      Expected results:

      Should not contain this false message in spec.status field of authentication CO yaml as it is triggering false alerts.

      Additional info:

      The same issue was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=2037274#c23 and it was fixed in OpenShift Container Platform 4.9.25

            surbania Sergiusz Urbaniak (Inactive)
            rhn-support-gio Ginilekshmi A O
            Debargha Mukherjee Debargha Mukherjee (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: