Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43063

Router should support SHA-1 CA certificates in the default certificate chain

XMLWordPrintable

    • +
    • Critical
    • None
    • 1
    • NE Sprint 260, NE Sprint 261
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • N/A: Nothing was fixed with this bug. This 4.16 bug was required to satisfy automation for 4.15.
    • Release Note Not Required
    • Done

      Note: This 4.16 bug was created to satisfy automation for fixing a the 4.15 bug OCPBUGS-42480. OCPBUGS-42480 is NOT a backport, but instead a fix going directly into the 4.15 z-stream release. This 4.16.z bug is just for verifying that 4.16.z won't have a regression once 4.15.z is fixed. 

      Description of problem:

      The router should function properly with SHA-1 CA Certificates in the default certificate chain (given the serving/leaf cert is not using SHA-1). The default certificate is provided on the IngressController at spec.defaultCertificate. The router should be able to start & restart successfully as well as serve traffic.

      Version-Release number of selected component (if applicable):

      4.16

      How reproducible:

      0% (see note)

      Steps to Reproduce:

         1. Create a certificate chain where the root or intermediate CA uses SHA1 but the leaf (serving) certificate does not:

wildcard="*.$(oc get ingresses.config/cluster -o jsonpath={.spec.domain})"

openssl req -x509 -sha1 -newkey rsa:2048 -days 3650 -keyout exampleca.key -out exampleca.crt -addext "keyUsage=cRLSign, digitalSignature, keyCertSign" -addext "extendedKeyUsage=serverAuth,clientAuth" -nodes -subj '/C=US/ST=SC/L=Default City/O=Default Company Ltd/OU=Test CA/CN=www.exampleca.com/emailAddress=example@example.com'
openssl req -newkey rsa:2048 -nodes -keyout example.key -out example.csr -subj '/CN=www.example.com/ST=SC/C=US/emailAddress=example@example.com/O=Example/OU=Example'
openssl x509 -req -days 3650 -sha256 -in example.csr -CA exampleca.crt -CAcreateserial -CAkey exampleca.key -extensions ext -extfile <(echo $'[ext]\nbasicConstraints = CA:FALSE\nsubjectKeyIdentifier = none\nauthorityKeyIdentifier = none\nextendedKeyUsage=serverAuth,clientAuth\nkeyUsage=nonRepudiation, digitalSignature, keyEncipherment\nsubjectAltName = DNS:'$wildcard) -out example.crt


   2. Configure this certificate chain as spec.defaultCertificate on the default IngressController:

cat example.crt exampleca.crt > example-combo.crt
oc create secret -n openshift-ingress tls router-cert --key=example.key --cert=example-combo.crt
oc create configmap custom-ca --from-file=ca-bundle.crt=exampleca.crt -n openshift-config
oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'

# Now patch router-cert to spec.defaultCertificate.name on default ingresscontroller

   3. Check the ingresscontroller or clusteroperator status
   4. Curl the canary route

      Actual results:

      Curl succeeds and Cluster is upgradeable

      Expected results:

      Curl succeeds and Cluster is upgradeable

      Additional info:

       

              gspence@redhat.com Grant Spence
              rhn-support-shrsharm Shreya Sharma
              Shudi Li Shudi Li
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: