Bug 1289473

Summary: atomic-openshift-master - error loading cert pool from ca file - x509: negative serial number
Product: OpenShift Container Platform Reporter: Andrej Golis <agolis>
Component: apiserver-authAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED ERRATA QA Contact: weiwei jiang <wjiang>
Severity: high Docs Contact:
Priority: medium    
Version: 3.1.0CC: aos-bugs, eparis, erich, jcajka, jokerman, knakayam, mmccomas, pweil, tdawson, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1290472 (view as bug list) Environment:
Last Closed: 2016-09-27 09:34:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1290472    
Bug Blocks:    

Description Andrej Golis 2015-12-08 09:16:14 UTC 
Description of problem:

atomic-openshift-master service fails to start due to a negative serial number in CA certificate, which is needed for LDAPS authentication.

This is set up in ansible installer:

openshift_master_identity_providers: [{'name': 'my_ldap_provider',
'challenge': 'true', 'login': 'true', 'kind':
'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email':
['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '',
'bindPassword': '', 'ca': '/etc/pki/tls/certs/ca-bundle.crt',
'insecure': 'false', 'url':
'ldap://ldap.example.com/ou=users,dc=example,dc=com?uid'}]

Steps to Reproduce:

systemctl start atomic-openshift-master

Actual results:

atomic-openshift-master[8827]: F1207 12:55:23.250834 8827
auth.go:114] error loading cert pool from ca file
/etc/pki/tls/certs/ca-bundle.crt: error reading
/etc/pki/tls/certs/ca-bundle.crt: x509: negative serial number

Expected results:

atomic-openshift-master starts successfully

Additional info:

https://github.com/golang/go/issues/8265
Comment 1 Jordan Liggitt 2015-12-10 14:43:40 UTC 
Do we need a separate bz to track packaging the golang fix?
Comment 2 Jordan Liggitt 2015-12-10 14:45:42 UTC 
Jakub, what do we need to do to pick up the fix for https://github.com/golang/go/issues/8265 in 1.4.x and 1.5.x streams?
Comment 3 Jordan Liggitt 2015-12-10 15:43:46 UTC 
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1290472 to track picking up the fix for RHEL
Comment 4 Jakub Čajka 2015-12-10 16:37:16 UTC 
Asked upstream in the issue 8265, if it is possible to include the fix in next minor release(if it is what you meant).

Do you need a fix in Fedora? (Even if not, Fedora BZ would be nice :).)
Comment 5 Jordan Liggitt 2015-12-10 16:38:12 UTC 
Yes, fix is probably needed in fedora as well. Should I clone the BZ to fedora?
Comment 6 Jakub Čajka 2015-12-10 16:42:20 UTC 
Yes, please.

Thanks
Comment 8 weiwei jiang 2016-07-22 08:25:18 UTC 
Checked with atomic-openshift-3.3.0.8-1.git.0.42a01e6.el7.x86_64, and the bug has been fixed. So move to verified.
Comment 10 errata-xmlrpc 2016-09-27 09:34:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933