Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13964

mtls CRL not working when using an intermediate CA

XMLWordPrintable

    • Critical
    • No
    • 2
    • Sprint 237
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: When client TLS (mTLS) was configured on an ingress controller, if any of the client CA certificates included a CRL distribution point for a CRL issued by a different CA and that CRL expired, the mismatch between the distributing CA and the issuing CA caused the incorrect CRL to be downloaded.
      Consequence: The CRL bundle would be updated to contain an extra copy of the erroneously downloaded CRL, and the CRL that needed to be updated would be missing entirely. Because of the missing CRL, connections with valid client certificates may have been rejected with the error "unknown ca"
      Fix: Downloaded CRLs are now tracked by the CA that distributes them, rather than their issuing CA
      Result: When a CRL expires, the distributing CA's CRL distribution point is used to download an updated CRL. Valid client certificates will no longer be rejected.
      Show
      Cause: When client TLS (mTLS) was configured on an ingress controller, if any of the client CA certificates included a CRL distribution point for a CRL issued by a different CA and that CRL expired, the mismatch between the distributing CA and the issuing CA caused the incorrect CRL to be downloaded. Consequence: The CRL bundle would be updated to contain an extra copy of the erroneously downloaded CRL, and the CRL that needed to be updated would be missing entirely. Because of the missing CRL, connections with valid client certificates may have been rejected with the error "unknown ca" Fix: Downloaded CRLs are now tracked by the CA that distributes them, rather than their issuing CA Result: When a CRL expires, the distributing CA's CRL distribution point is used to download an updated CRL. Valid client certificates will no longer be rejected.

      This is a clone of issue OCPBUGS-9464. The following is the description of the original issue:

      Description of problem:

      mtls connection is not working when using an intermetiate CA appart from the root CA, both with CRL defined.
      The Intermediate CA Cert had a published CDP which directed to a CRL issued by the root CA.

      The config map in the openshift-ingress namespace contains the CRL as issued by the root CA. The CRL issued by the Intermediate CA is not present since that CDP is in the user cert and so not in the bundle.

      When attempting to connect using a user certificate issued by the Intermediate CA it fails with an error of unknown CA.

      When attempting to connect using a user certificate issued by the to Root CA the connection is successful.

      Version-Release number of selected component (if applicable):

      4.10.24

      How reproducible:
      Always

      Steps to Reproduce:

      1. Configure CA and intermediate CA with CRL
      2. Sign client certificate with the intermediate CA
      3. Configure mtls in openshift-ingress

      Actual results:

      When attempting to connect using a user certificate issued by the Intermediate CA it fails with an error of unknown CA.
      When attempting to connect using a user certificate issued by the to Root CA the connection is successful.

      Expected results:

      Be able to connect with client certificated signed by the intermediate CA

      Additional info:

              rfredett@redhat.com Ryan Fredette
              openshift-crt-jira-prow OpenShift Prow Bot
              Hongan Li Hongan Li
              Red Hat Employee
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: