Bug 1515395

Summary: Docker pull fails due to extension certificate
Product: Red Hat Enterprise Linux 7 Reporter: Jaroslav Spanko <jspanko>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: amurdaca, ddarrah, dornelas, jspanko, lsm5, marc.jadoul, rhowe, schoudha
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-1.13.1-55.rhel75.git774336d.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1518583 (view as bug list) Environment:
Last Closed: 2018-04-11 00:01:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1494728, 1518583    

Description Jaroslav Spanko 2017-11-20 18:06:07 UTC 
Description of problem:
Docker pull fails because issue with critical certificate extension
----------------
https://registry.redhat.io/containers/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/containers/registry/rhscl/python-35-rhel7/manifests/sha256:be9df8f0385cb443c5c8ceabfa8b98aa3f213fa60ef1cd40c3649f650693df2e: tls: failed to parse certificate from server: x509: unhandled critical extension error: build error: unable to get registry.access.redhat.com/rhscl/python-35-rhel7@sha256:be9df8f0385cb443c5c8ceabfa8b98aa3f213fa60ef1cd40c3649f650693df2e
----------------

Environment is behind a proxy doing SSL decrypt/re-encrypt. As temporary workaround was implemented
a 2nd proxy to decrypt-reencrypt the SSL again. In this way, docker do not see the 'bad' certificate.

Version-Release number of selected component (if applicable):
RHEL 7.4
docker-1.12.6-55

How reproducible:
100%

Actual results:
docker pull fails with tls: failed to parse certificate from server: x509: unhandled critical extension

Expected results:
docker pull image once the 

Additional info:
The same problem reported 
https://github.com/moby/moby/issues/35152

and fix was committed  
https://go-review.googlesource.com/c/go/+/36900
Comment 2 Antonio Murdaca 2017-11-20 18:10:10 UTC 
we need to wait till Golang in RHEL is 1.9.2 and we build docker with that golang unfortunately (we're probably at 1.8.x)
Comment 3 Marc Jadoul 2017-11-21 09:11:31 UTC 
Hello,
Please note it also concerns atomic-openshift-master-api:

$ oc import-image  ruby --all
The import completed with errors.

Name:                   ruby
Namespace:              openshift
Created:                19 months ago
Labels:                 <none>
Annotations:            openshift.io/display-name=Ruby
                        openshift.io/image.dockerRepositoryCheck=2017-11-20T14:00:47Z
Docker Pull Spec:       10.121.231.11:5000/openshift/ruby
Image Lookup:           local=false
Unique Images:          7
Tags:                   4

2.3 (latest)
  tagged from registry.access.redhat.com/rhscl/ruby-23-rhel7:latest

  Build and run Ruby 2.3 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-ruby-container/blob/master/2.3/README.md'.
  Tags: builder, ruby
  Supports: ruby:2.3, ruby
  Example Repo: https://github.com/openshift/ruby-ex.git'

  ! error: Import failed (InternalError): Internal error occurred: Get https://registry.redhat.io/containers/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/containers/registry/rhscl/ruby-23-rhel7/manifests/latest:' tls: failed to parse certificate from server: x509: unhandled critical extension
      2 minutes ago
  * registry.access.redhat.com/rhscl/ruby-23-rhel7@sha256:a68e14c6be884e2d8f325850ff84e8e597c18756b177a54b2386dbafe48ab5f9'
      10 days ago
    registry.access.redhat.com/rhscl/ruby-23-rhel7@sha256:236b125dc39ce8e307a12eb67f2d01100200c4d2e6e89f7b2e397b6fa7f9f81d'
      5 weeks ago

2.2
  tagged from registry.access.redhat.com/rhscl/ruby-22-rhel7:latest

  Build and run Ruby 2.2 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-ruby-container/tree/master/2.2/README.md'.
  Tags: builder, ruby
  Supports: ruby:2.2, ruby
  Example Repo: https://github.com/openshift/ruby-ex.git'

  ! error: Import failed (InternalError): Internal error occurred: Get https://registry.redhat.io/containers/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/containers/registry/rhscl/ruby-22-rhel7/manifests/latest:' tls: failed to parse certificate from server: x509: unhandled critical extension
      2 minutes ago
  * registry.access.redhat.com/rhscl/ruby-22-rhel7@sha256:63068a00765c62a02fe69ab16da520ac2ff1458574f4c8c2c0cf300fbcfdc82e'
      10 days ago
    registry.access.redhat.com/rhscl/ruby-22-rhel7@sha256:b72504509bd0db042594ac451974f362225e629e83f28f446088358f9f405463'
      5 weeks ago

2.0
  tagged from registry.access.redhat.com/openshift3/ruby-20-rhel7:latest

  Build and run Ruby 2.0 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-ruby-container/tree/master/2.0/README.md'.
  Tags: hidden, builder, ruby
  Supports: ruby:2.0, ruby
  Example Repo: https://github.com/openshift/ruby-ex.git'

  ! error: Import failed (InternalError): Internal error occurred: Get https://registry.redhat.io/containers/content/dist/rhel/server/7/7Server/x86_64/ose/3/containers/registry/openshift3/ruby-20-rhel7/manifests/latest:' tls: failed to parse certificate from server: x509: unhandled critical extension
      2 minutes ago
  * registry.access.redhat.com/openshift3/ruby-20-rhel7@sha256:9cfdf4b811ace13d4c555335b249ab831832a384113035512abc9d4d5cc59716'
      9 months ago
    registry.access.redhat.com/openshift3/ruby-20-rhel7@sha256:9f8cfef74cefab63036ae16cac8766e76c0610a0c560fab83e093da740aa4369'
      11 months ago
    registry.access.redhat.com/openshift3/ruby-20-rhel7:latest
      19 months ago     15779e220dc9db16072d6f779bc816b16527e474958f089ac1d13cb7e5b5021c

error: tag latest failed: Internal error occurred: Get https://registry.redhat.io/containers/content/dist/rhel/server/7/7Server/x86_64/ose/3/containers/registry/openshift3/ruby-20-rhel7/manifests/latest:' tls: failed to parse certificate from server: x509: unhandled critical extension
error: tag latest failed: Internal error occurred: Get https://registry.redhat.io/containers/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/containers/registry/rhscl/ruby-22-rhel7/manifests/latest:' tls: failed to parse certificate from server: x509: unhandled critical extension
error: tag latest failed: Internal error occurred: Get https://registry.redhat.io/containers/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/containers/registry/rhscl/ruby-23-rhel7/manifests/latest:' tls: failed to parse certificate from server: x509: unhandled critical extension
Comment 13 errata-xmlrpc 2018-04-11 00:01:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1071