Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.19.0
Component/s: MicroShift
Labels:
- microshift-no-backport

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
1
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.19.0
Release Blocker:
None
Sprint:
uShift Sprint 265
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
Previously, the specific cipher suites required by MicroShift etcd when using TLS 1.2 were not not included in the service's basic configuration file. As a result, MicroShift failed to start. With this release, the required cipher suites are in the configuration file by default and MicroShift can start normally when using TLS 1.2.

Show
Previously, the specific cipher suites required by MicroShift etcd when using TLS 1.2 were not not included in the service's basic configuration file. As a result, MicroShift failed to start. With this release, the required cipher suites are in the configuration file by default and MicroShift can start normally when using TLS 1.2.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

MicroShift's etcd requires configuring either of these 2 cipher suites when using TLS 1.2:

Jan 22 11:49:37 microshift-base-3603.local microshift[164996]: {"level":"warn","ts":"2025-01-22T11:49:37.201129Z","caller":"embed/serve.go:214","msg":"stopped secure grpc server due to error","error":"http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)"}

If these are not present in the configuration file MicroShift will fail to start.

Version-Release number of selected component (if applicable):

4.19

How reproducible:

100%

Steps to Reproduce:

    1. Configure custom cipher suites using tls 1.2, excluding the ones in the description.
    2. Start microshift.
    3. Check the error in etcd failing to start.

Actual results:

Expected results:

Additional info:

links to

openshift/microshift#4451: OCPBUGS-48735: Fix default cipher suites when using TLS 1.2

RHEA-2024:11040 Red Hat build of MicroShift 4.19.z bug fix and enhancement update

Assignee:: Pablo Acevedo Montserrat

Reporter:: Pablo Acevedo Montserrat

Need Info From:: None

Contributors:: None

QA Contact:: Alejandro Gullón

Doc Contact:: Shauna Diaz

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/01/22 12:21 PM

Updated:: 2025/07/16 1:43 PM

Resolved:: 2025/06/17 5:31 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates