Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-49392

[4.15] Routes with SHA1 CA certificate break HAProxy reloading

XMLWordPrintable

    • Moderate
    • None
    • NI&D Sprint 268
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      *Cause*: The 4.15 router incorrectly assumed that only SHA1 leaf certificates were rejected by HAProxy in 4.16.
      *Consequence*: The router failed to block upgrades for SHA1 intermediate certificates that caused HAProxy to fail in 4.16.
      *Fix*: The router now inspects all non-self-signed certificates and blocks upgrades to 4.16 for any that use SHA1.
      *Result*: Users won't accidentally upgrade into into 4.16 with a intermediate certificate using SHA1 which causes the upgrade to fail.
      Show
      *Cause*: The 4.15 router incorrectly assumed that only SHA1 leaf certificates were rejected by HAProxy in 4.16. *Consequence*: The router failed to block upgrades for SHA1 intermediate certificates that caused HAProxy to fail in 4.16. *Fix*: The router now inspects all non-self-signed certificates and blocks upgrades to 4.16 for any that use SHA1. *Result*: Users won't accidentally upgrade into into 4.16 with a intermediate certificate using SHA1 which causes the upgrade to fail.
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-49391. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-49390. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-49389. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-45290. The following is the description of the original issue:

      Description of problem:

          Routes with SHA1 CA certificates (spec.tls.caCertificate) break HAProxy preventing reload

      Version-Release number of selected component (if applicable):

          4.16

      How reproducible:

          Always

      Steps to Reproduce:

          1. create Route with SHA1 CA certificates
    2.
    3.

      Actual results:

          HAProxy router fails to reload

      Expected results:

          HAProxy router should either reject Routes with SHA1 CA certificates, or reload successfully

      Additional info:

          [ALERT]    (312) : config : parsing [/var/lib/haproxy/conf/haproxy.config:131] : 'bind unix@/var/lib/haproxy/run/haproxy-sni.sock' in section 'frontend' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load chain certificate into SSL Context '/var/lib/haproxy/router/certs/test:test.pem': ca md too weak.

[ALERT]    (312) : config : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config

[ALERT]    (312) : config : Fatal errors found in configuration.

      This is a continuation/variance of https://issues.redhat.com/browse/OCPBUGS-26498

              mmasters1@redhat.com Miciah Masters
              openshift-crt-jira-prow OpenShift Prow Bot
              Shudi Li Shudi Li
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: