Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60381

Hostedcluster error about two DNS name in SAN certificate

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • All
    • Production
    • Proposed
    • Bug Fix
    • Hide
      Before this update, the hosted cluster rejected certificates with multiple SAN entries due to conflicting DNS names. As a consequence, users experienced certificate deployment failure with conflicting DNS names in Kubernetes API server SANs. With this release, certificate validation has been updated to allow multiple SAN entries. As a result, the hosted cluster now accepts certificates with multiple SAN entries, improving deployment flexibility.
      Show
      Before this update, the hosted cluster rejected certificates with multiple SAN entries due to conflicting DNS names. As a consequence, users experienced certificate deployment failure with conflicting DNS names in Kubernetes API server SANs. With this release, certificate validation has been updated to allow multiple SAN entries. As a result, the hosted cluster now accepts certificates with multiple SAN entries, improving deployment flexibility.
    • None
    • None
    • None
    • None

      Description of problem:

          Hosted cluster has certificate deployed with two SAN entries

      Version-Release number of selected component (if applicable):

          OCP-4.17.z | ACM 2.12 | MCE 2.7.5

      How reproducible:

          Hosted cluster deployed with SAN certificate with two DNS hostnames.

       

      Steps to Reproduce:

          1. Deploy hosted cluster, use same certificate for API and OAuth Endpoint
          2. Error custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid
          ValidConfiguration condition is false: custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid

      Actual results:

          

      Expected results:

          Hosted cluster should allow certificate with multiple entries

      Additional info:

          Please see attached full hostedcluster manifest 

              jparrill@redhat.com Juan Manuel Parrilla Madrid
              rhit_ubhattar Ujjwal Bhattarai
              None
              None
              Wen Wang Wen Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: