Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1615

Python LDAP module fails to verify SSL cert for LDAP in Quay 3.4

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Critical Critical
    • z-stream
    • quay-v3.4.0
    • quay
    • False
    • False
    • Quay Enterprise
    • Undefined

      The following exception is seen in the log of the main app:

      gunicorn-web stdout | 2021-02-18 09:02:03,749 [294] [ERROR] [data.users.externalldap] Exception when trying to health check LDAP
gunicorn-web stdout | Traceback (most recent call last):
gunicorn-web stdout |   File "/quay-registry/data/users/externalldap.py", line 263, in ping
gunicorn-web stdout |     with self._ldap.get_connection():
gunicorn-web stdout |   File "/quay-registry/data/users/externalldap.py", line 82, in __enter__
gunicorn-web stdout |     self._conn.simple_bind_s(self._user_dn, self._user_pw)
gunicorn-web stdout |   File "/usr/local/lib64/python3.8/site-packages/ldap/ldapobject.py", line 445, in simple_bind_s
gunicorn-web stdout |     msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
gunicorn-web stdout |   File "/usr/local/lib64/python3.8/site-packages/ldap/ldapobject.py", line 439, in simple_bind
gunicorn-web stdout |     return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
gunicorn-web stdout |   File "/usr/local/lib64/python3.8/site-packages/ldap/ldapobject.py", line 331, in _ldap_call
gunicorn-web stdout |     reraise(exc_type, exc_value, exc_traceback)
gunicorn-web stdout |   File "/usr/local/lib64/python3.8/site-packages/ldap/compat.py", line 44, in reraise
gunicorn-web stdout |     raise exc_value
gunicorn-web stdout |   File "/usr/local/lib64/python3.8/site-packages/ldap/ldapobject.py", line 315, in _ldap_call
gunicorn-web stdout |     result = func(*args,**kwargs)
gunicorn-web stdout | ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certif
icate verify failed (EE certificate key too weak)'}
gunicorn-web stdout | 2021-02-18 09:02:03,749 [294] [WARNING] [health.healthcheck] [FAILED HEALTH CHECK] {'services_expanded': {'registry_gunicorn': {'s
tatus': False, 'failure': 'Exception when checking worker health: http://localhost:8080/v1/_internal_ping'}, 'web_gunicorn': {'status': False, 'failure'
: 'Exception when checking worker health: http://localhost:8080/_internal_ping'}, 'service_key': {'status': True}, 'disk_space': {'status': True}, 'data
base': {'status': True}, 'auth': {'status': False, 'failure': '{\'desc\': "Can\'t contact LDAP server", \'info\': \'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (EE certificate key too weak)\'}'}}, 'notes': [], 'is_testing': False, 'config_provider': 'k8s', 'local_service_key_id': '6057487e8b53cb56d2b1098c3998dc839cb955d9978a55c565184e1e99d8b650', 'hostname': 'quay-registry-quay-app-7b9658db-pvknf'}

      The customer is using the following key sizes in their chain:

      Root CA -> 4096 bits
      Intermediate CA -> 4096 bits
      Issuing CA -> 2048 bits
      My certificate -> 4096 bits

      They cannot increase the issuing CA size to 4096 (as per their PKI team), but that should not even be necessary, according to various sources that I found the key should be at minimum 2048 bits.

      Please check.

              Unassigned Unassigned
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: