Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.14.0
Affects Version/s: 4.10
Component/s: Networking / router
Labels:
- migrated_from_bz
- needs_manual_sfdc

Severity:
Critical
Story Points:
55
Sprint:
Sprint 234, Sprint 235, Sprint 236, Sprint 237
sprint_count:
4
Release Blocker:
Rejected
Architecture:

Unspecified
Release Note Text:

Hide
* Previously, when a client mutual TLS (mTLS) was configured on an ingress controller, if any of the client certificate authority (CA) certificates included a certificate revocation list (CRL) distribution point for a CRL issued by a different CA and that CRL expired, the mismatch between the distributing CA and the issuing CA caused the incorrect CRL to be downloaded. Consequently, the CRL bundle would be updated to contain an extra copy of the erroneously downloaded CRL, and the CRL that needed to be updated would be missing. Because of the missing CRL, connections with valid client certificates might have been rejected with the following error: `unknown ca`.
+
With this update, downloaded CRLs are now tracked by the CA that distributes them. When a CRL expires, the distributing CA's CRL distribution point is used to download an updated CRL. As a result, valid client certificates are no longer rejected. (link:https://issues.redhat.com/browse/OCPBUGS-9464[*~~OCPBUGS-9464~~*])

Show
* Previously, when a client mutual TLS (mTLS) was configured on an ingress controller, if any of the client certificate authority (CA) certificates included a certificate revocation list (CRL) distribution point for a CRL issued by a different CA and that CRL expired, the mismatch between the distributing CA and the issuing CA caused the incorrect CRL to be downloaded. Consequently, the CRL bundle would be updated to contain an extra copy of the erroneously downloaded CRL, and the CRL that needed to be updated would be missing. Because of the missing CRL, connections with valid client certificates might have been rejected with the following error: `unknown ca`. + With this update, downloaded CRLs are now tracked by the CA that distributes them. When a CRL expires, the distributing CA's CRL distribution point is used to download an updated CRL. As a result, valid client certificates are no longer rejected. (link: https://issues.redhat.com/browse/OCPBUGS-9464 [* OCPBUGS-9464 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.14.0

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

mtls connection is not working when using an intermetiate CA appart from the root CA, both with CRL defined.
The Intermediate CA Cert had a published CDP which directed to a CRL issued by the root CA.

The config map in the openshift-ingress namespace contains the CRL as issued by the root CA. The CRL issued by the Intermediate CA is not present since that CDP is in the user cert and so not in the bundle.

When attempting to connect using a user certificate issued by the Intermediate CA it fails with an error of unknown CA.

When attempting to connect using a user certificate issued by the to Root CA the connection is successful.

Version-Release number of selected component (if applicable):

4.10.24

How reproducible:
Always

Steps to Reproduce:

1. Configure CA and intermediate CA with CRL
2. Sign client certificate with the intermediate CA
3. Configure mtls in openshift-ingress

Actual results:

When attempting to connect using a user certificate issued by the Intermediate CA it fails with an error of unknown CA.
When attempting to connect using a user certificate issued by the to Root CA the connection is successful.

Expected results:

Be able to connect with client certificated signed by the intermediate CA

Additional info:

Attachments

Issue Links

blocks

OCPBUGS-13964 mtls CRL not working when using an intermediate CA

Closed

is cloned by

OCPBUGS-13964 mtls CRL not working when using an intermediate CA

Closed

links to

openshift/cluster-ingress-operator#930: OCPBUGS-6661, OCPBUGS-9464: Move mTLS CRL handling into the router, and fix accidental duplication of CRLs

openshift/cluster-ingress-operator#938: Revert "OCPBUGS-6661, OCPBUGS-9464: Move mTLS CRL handling into the router, and fix accidental duplication of CRLs"

openshift/cluster-ingress-operator#939: OCPBUGS-6661, OCPBUGS-9464: Move mTLS CRL handling into the router, and fix accidental duplication of CRLs

openshift/router#472: OCPBUGS-6661, OCPBUGS-9464: Handle mTLS CRLs, and fix accidental CRL duplication

RHEA-2023:5006 rpm

(2 links to)

Activity

People

Assignee:: Ryan Fredette

Reporter:: Maria Del Mar Alonso

QA Contact:: Hongan Li

Contributing Groups:: Red Hat Employee

Votes:: 0 Vote for this issue

Watchers:: 21 Start watching this issue

Dates

Created:: 2022/08/15 11:42 AM

Updated:: 2024/02/23 6:03 PM

Resolved:: 2023/10/31 1:36 PM