Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-26498

Router fails to start/reload with SHA1 cert due to OpenSSL 3.0 in RHEL9

    XMLWordPrintable

Details

    • Moderate
    • No
    • Sprint 247, Sprint 248, Sprint 249, Sprint 250, Sprint 251, Sprint 252, Sprint 253
    • 7
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

         Due to RHEL9 incorporating OpenSSL 3.0, HaProxy will refuse to start if provided with a cert using SHA1-based signature algorithm. RHEL9 is being introduced in 4.16. This means customers updating from 4.15 to 4.16 with a SHA1 cert will find their router in a failure state.


My Notes from experimenting with various ways of using a cert in ingress:
- Routes with SHA1 spec.tls.certificate WILL prevent HaProxy from reloading/starting
- It is NOT limited to FIPs, I broke a non-FIPs cluster with this
- Routes with SHA1 spec.tls.caCertificate will NOT prevent HaProxy starting, but route is rejected, due to extended route validation failure:
    - lastTransitionTime: "2024-01-04T20:18:01Z"
      message: 'spec.tls.certificate: Invalid value: "redacted certificate data":
        error verifying certificate: x509: certificate signed by unknown authority
        (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA
        (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate
        authority certificate "www.exampleca.com")'

- Routes with SHA1 spec.tls.destinationCACertificate will NOT prevent HaProxy from starting. It actually seems to work as expected
- IngressController with SHA1 spec.defaultCertificate WILL prevent HaProxy from starting.
- IngressController with SHA1 spec.clientTLS.clientCA will NOT prevent HaProxy from starting.

      Version-Release number of selected component (if applicable):

      4.16

      How reproducible:

      100%

      Steps to Reproduce:

          1. Create a Ingress Controller with spec.defaultCertificate or a Route with spec.tls.certificate as a SHA1 cert
    2. Roll out the router

      Actual results:

          Router fails to start

      Expected results:

          Router should start

      Additional info:

          We've previously documented via story in RHEL9 epic: https://issues.redhat.com/browse/NE-1449

The initial fix for this issue was merged as [https://github.com/openshift/router/pull/555].  This issue is currently causing some issues, notably causing the openshift/cluster-ingress-operator repository's {{TestRouteAdmissionPolicy}} E2E test to fail intermittently, which causes the e2e-azure, e2e-gcp-operator, and e2e-aws-operator CI jobs to fail intermittently.

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NE-1441 Bump openshift-router image to RHEL9

          • Critical - To be worked on immediately following BLOCKER issues.
          • Testing

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-28928 Router fails to start/reload with SHA1 cert due to OpenSSL 3.0 in RHEL9

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • New

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-1689 Modifying a namespace or route label to opt-out of a router shard doesn't update the route admitted status

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • New
          duplicates

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. NE-1449 Set upgradeable=false in 4.15 if router cert is SHA1

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is caused by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NE-1441 Bump openshift-router image to RHEL9

          • Critical - To be worked on immediately following BLOCKER issues.
          • Testing
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-28928 Router fails to start/reload with SHA1 cert due to OpenSSL 3.0 in RHEL9

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • New
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. NE-1477 Update CI origin test to use SHA256 certificates

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          GitHub openshift/api#1722: OCPBUGS-26498: Add UnservableInFutureVersions route status condition type

          GitHub openshift/cluster-ingress-operator#1014: [WIP] OCPBUGS-26498: Prevent upgrades for SHA1 default cert and SHA1 route certs

          GitHub openshift/origin#28710: OCPBUGS-26498: Add test for UpgradeValidation contention

          GitHub openshift/router#552: OCPBUGS-26498: Reject routes with SHA1 certs

          GitHub openshift/router#555: [WIP] OCPBUGS-26498: Upgrade Validation plugin for SHA1 certs

          GitHub openshift/router#575: "OCPBUGS-26498: Add Upgrade Validation force arguments for running E2E tests"

          GitHub openshift/router#587: OCPBUGS-26498: Optimize Upgrade Validation plugin by skipping unnecessary changes

          GitHub openshift/router#588: OCPBUGS-26498: Make ingressConditionsEqual more efficient

          Activity

            People

              gspence@redhat.com Grant Spence
              gspence@redhat.com Grant Spence
              Shudi Li Shudi Li
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: