-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
4.20
-
None
-
None
-
False
-
-
None
-
Critical
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When a proxy configured in OCP returns a custom certificate with negative serial number, connections with external services will fail, e.g. updates.
The reason is that [RFC5280|https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.2] requires serialNumber to be a non-negative integer. It's not in Go changelog, but from Go 1.23 certificates with negative serial number are no longer tolerated, unless "x509negativeserial=1" GODEBUG environment variable is set ([source|https://pkg.go.dev/crypto/x509#ParseCertificate]).
Version-Release number of selected component (if applicable):
How reproducible:
always
Steps to Reproduce:
1. Generate a certificate with negative serial number
2. Configure a proxy to return it
3. Configure OCP to use that proxy
4. Try to update cluster
Actual results:
`Message: Unable to retrieve available updates: Get "https://api.openshift.com/api/upgrades_info/v1/graph?arch=amd64&channel=stable-4.20&version=4.20.3": tls: failed to parse certificate from server: x509: negative serial number`
Expected results:
Update is successful, no OCP components log `tls: failed to parse certificate from server: x509: negative serial number` error.
Additional info:
The workaround is to set `GODEBUG` env variable to `x509negativeserial=1` but this is not easy to do on all the components. We need a simple way to bypass the strict certificate check at cluster level.
Previous KCSes related to specific products:
