Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60483

Hostedcluster error about two DNS name in SAN certificate

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • 4.19.z
    • 4.17.z
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • All
    • Production
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      - Cause:
      The SAN validation for custom certificates in hc.spec.configuration.apiServer.servingCerts.namedCertificates was not properly handling wildcard DNS patterns (e.g., *.example.com), causing potential conflicts with internal KAS certificate SANs to go undetected.

      - Consequence:
      Wildcard DNS patterns in custom certificates could conflict with internal KAS certificate SANs without being detected, leading to certificate validation failures and potential deployment issues.

      - Fix:
      Enhanced DNS SAN conflict detection to include RFC-compliant wildcard support, implementing bidirectional conflict validation that properly handles wildcard patterns like *.example.com matching sub.example.com.

      - Result:
      Wildcard DNS patterns are now properly validated, preventing certificate conflicts and ensuring more reliable hosted cluster deployments with wildcard certificate support.
      Show
      - Cause: The SAN validation for custom certificates in hc.spec.configuration.apiServer.servingCerts.namedCertificates was not properly handling wildcard DNS patterns (e.g., *.example.com), causing potential conflicts with internal KAS certificate SANs to go undetected. - Consequence: Wildcard DNS patterns in custom certificates could conflict with internal KAS certificate SANs without being detected, leading to certificate validation failures and potential deployment issues. - Fix: Enhanced DNS SAN conflict detection to include RFC-compliant wildcard support, implementing bidirectional conflict validation that properly handles wildcard patterns like *.example.com matching sub.example.com. - Result: Wildcard DNS patterns are now properly validated, preventing certificate conflicts and ensuring more reliable hosted cluster deployments with wildcard certificate support.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-60381. The following is the description of the original issue:

      Description of problem:

          Hosted cluster has certificate deployed with two SAN entries

      Version-Release number of selected component (if applicable):

          OCP-4.17.z | ACM 2.12 | MCE 2.7.5

      How reproducible:

          Hosted cluster deployed with SAN certificate with two DNS hostnames.

       

      Steps to Reproduce:

          1. Deploy hosted cluster, use same certificate for API and OAuth Endpoint
    2. Error custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid
          ValidConfiguration condition is false: custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid

      Actual results:

      Expected results:

          Hosted cluster should allow certificate with multiple entries

      Additional info:

          Please see attached full hostedcluster manifest

              jparrill@redhat.com Juan Manuel Parrilla Madrid
              rhit_ubhattar Ujjwal Bhattarai
              None
              None
              Wen Wang Wen Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: