Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16.z
Component/s: Networking / router
Labels:
- cee.neXT
- certificate
- ne-triaged
- route

Severity:
Critical
Regression:
None
Story Points:
1
Sprint:
NE Sprint 260, NE Sprint 261
sprint_count:
2
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A: Nothing was fixed with this bug. This 4.16 bug was required to satisfy automation for 4.15.
Release Note Type:
Release Note Not Required
Release Note Status:
Done
Target Version:

4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Review Complete:

Note: This 4.16 bug was created to satisfy automation for fixing a the 4.15 bug OCPBUGS-42480. OCPBUGS-42480 is NOT a backport, but instead a fix going directly into the 4.15 z-stream release. This 4.16.z bug is just for verifying that 4.16.z won't have a regression once 4.15.z is fixed.

Description of problem:

The router should function properly with SHA-1 CA Certificates in the default certificate chain (given the serving/leaf cert is not using SHA-1). The default certificate is provided on the IngressController at spec.defaultCertificate. The router should be able to start & restart successfully as well as serve traffic.

Version-Release number of selected component (if applicable):

4.16

How reproducible:

0% (see note)

Steps to Reproduce:

   1. Create a certificate chain where the root or intermediate CA uses SHA1 but the leaf (serving) certificate does not:

wildcard="*.$(oc get ingresses.config/cluster -o jsonpath={.spec.domain})"

openssl req -x509 -sha1 -newkey rsa:2048 -days 3650 -keyout exampleca.key -out exampleca.crt -addext "keyUsage=cRLSign, digitalSignature, keyCertSign" -addext "extendedKeyUsage=serverAuth,clientAuth" -nodes -subj '/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/CN=www.exampleca.com/emailAddress=example@example.com'
openssl req -newkey rsa:2048 -nodes -keyout example.key -out example.csr -subj '/CN=www.example.com/ST=SC/C=US/emailAddress=example@example.com/O=Example/OU=Example'
openssl x509 -req -days 3650 -sha256 -in example.csr -CA exampleca.crt -CAcreateserial -CAkey exampleca.key -extensions ext -extfile <(echo $'[ext]\nbasicConstraints = CA:FALSE\nsubjectKeyIdentifier = none\nauthorityKeyIdentifier = none\nextendedKeyUsage=serverAuth,clientAuth\nkeyUsage=nonRepudiation, digitalSignature, keyEncipherment\nsubjectAltName = DNS:'$wildcard) -out example.crt


   2. Configure this certificate chain as spec.defaultCertificate on the default IngressController:

cat example.crt exampleca.crt > example-combo.crt
oc create secret -n openshift-ingress tls router-cert --key=example.key --cert=example-combo.crt
oc create configmap custom-ca --from-file=ca-bundle.crt=exampleca.crt -n openshift-config
oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'

# Now patch router-cert to spec.defaultCertificate.name on default ingresscontroller

   3. Check the ingresscontroller or clusteroperator status
   4. Curl the canary route

Actual results:

Curl succeeds and Cluster is upgradeable

Expected results:

Curl succeeds and Cluster is upgradeable

Additional info:

blocks

OCPBUGS-42480 Upgrade to 4.16 is blocked because root certificate has weak SHA1 signature algorithm

Verified

clones

OCPBUGS-42480 Upgrade to 4.16 is blocked because root certificate has weak SHA1 signature algorithm

Verified

links to

RHBA-2024:8260 OpenShift Container Platform 4.16.z bug fix update

Assignee:: Grant Spence

Reporter:: Shreya Sharma

QA Contact:: Shudi Li

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/10/10 7:02 PM

Updated:: 2024/10/24 10:45 AM

Resolved:: 2024/10/24 10:45 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates