Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42480

Upgrade to 4.16 is blocked because root certificate has weak SHA1 signature algorithm

XMLWordPrintable

    • Critical
    • None
    • NE Sprint 260, NE Sprint 261
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Ingress Operator prevented upgrades from {product-title} 4.15 to 4.16 if a any certificate type in the default certificate chain used the SHA-1 hashing algorithm. With this release, the Ingress Operator now only checks default leaf certificates for SHA-1 hash values, so that intermediate and root certificates in the default chain can continue to use SHA-1 hash values without blocking cluster upgrades. (link:https://issues.redhat.com/browse/OCPBUGS-42480[*OCPBUGS-42480*])
      Show
      * Previously, the Ingress Operator prevented upgrades from {product-title} 4.15 to 4.16 if a any certificate type in the default certificate chain used the SHA-1 hashing algorithm. With this release, the Ingress Operator now only checks default leaf certificates for SHA-1 hash values, so that intermediate and root certificates in the default chain can continue to use SHA-1 hash values without blocking cluster upgrades. (link: https://issues.redhat.com/browse/OCPBUGS-42480 [* OCPBUGS-42480 *])
    • Bug Fix
    • Done
    • PXE suggested action: since this bug prevents upgrades it should be high priority; try to solve in the current sprint. Should this be an upgrade risk?
    • 10/14 Prevents upgrade to 4.16. Release notes done but needs a progress update. Cu's are expecting a near term 4.15.z that fixes this.

      Description of problem:

      Upgrade to OCP v4.16 is blocked because root certificate has weak SHA-1 signature algorithm

      Actual results:

      Upgrade is blocked

      Expected results:

      Upgrade should be possible because serving certificate has sha256WithRSAEncryption algorithm

      Additional info:

      In openshift v4.15 clusterversion is showing that cluster cannot upgrade because certificate contains weak SHA-1 algorithm for default cert,

~~~
    - lastTransitionTime: "2024-08-08T06:03:44Z"
      message: 'Cluster operator ingress should not be upgraded between minor versions:
        Some ingresscontrollers are not upgradeable: ingresscontroller "default" is
        not upgradeable: OperandsNotUpgradeable: One or more managed resources are
        not upgradeable: certificate in secret openshift-ingress/custom-certs-default
        has weak SHA1 signature algorithm: SHA1-RSA (see https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html#ocp-4-16-sha-haproxy-support-removed_release-notes
        for more details)'
      reason: IngressControllersNotUpgradeable
      status: "False"
      type: UpgradeableClusterOperators
~~~    

While checking the secret, there are 3 certificate present in cert chain and only 1 cert has SHA-1 as signature algorithm which is a root certificate. 

Serving cert of secret is usng sha256WithRSAEncryption.

            gspence@redhat.com Grant Spence
            rhn-support-shrsharm Shreya Sharma
            Shudi Li Shudi Li
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: