[OCPBUGS-50684] Log certificate CN and issuer CN when cert verification fails - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.17.z, 4.16.z, 4.18.z, 4.19.0
Component/s: kube-apiserver
Labels:
- feature-team-cert

Regression:
None
Sprint:
Feature Team Cert - Sprint 267
sprint_count:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.19.0
Target Backport Versions:

4.17.z, 4.16.z, 4.18.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When apiserver rejects a connection with invalid certificate it outputs

E0213 06:23:55.085394       1 authentication.go:74] "Unable to authenticate the request" err="verifying certificate SN=5424633604232311936, SKID=, AKID=14:64:1A:3C:91:F9:81:EA:37:A8:64:3C:2E:64:B5:9E:7C:A4:19:52 failed: x509: certificate signed by unknown authority"

That makes certificate detection complicated, as we have to match known certs using serial number. Instead kube-apiserver should output Common Name and issuer's Common Name so that admins could identify faulty certificate easier

links to

Upstream PR 130540

Assignee:: Vadim Rutkovsky

Reporter:: Vadim Rutkovsky

QA Contact:: Ke Wang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/02/13 12:05 PM

Updated:: 2025/03/04 2:19 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide