Bug 1518583
Summary: | oc import-image pull fails due to extension certificate | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Jaroslav Spanko <jspanko> | ||||||
Component: | ImageStreams | Assignee: | Ben Parees <bparees> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Dongbo Yan <dyan> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 3.6.0 | CC: | amurdaca, aos-bugs, atomic-bugs, bparees, ccoleman, dornelas, dwalsh, haowang, jokerman, jspanko, lsm5, marc.jadoul, mmccomas, rhowe, vlaad, wzheng | ||||||
Target Milestone: | --- | Keywords: | Extras | ||||||
Target Release: | 3.10.0 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
Cause: Additional certificate name constraints prevented valid certificates from being processed, resulting in error "tls: failed to parse certificate from server: x509: unhandled critical extension"
Consequence: Valid certificates were unusable.
Fix: Moved to newer golang libraries that fixed the constraint.
Result: Certificates that previously failed can now be used.
|
Story Points: | --- | ||||||
Clone Of: | 1515395 | Environment: | |||||||
Last Closed: | 2018-08-29 13:55:13 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1515395 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Jaroslav Spanko
2017-11-29 09:09:59 UTC
Sounds like this is blocked until openshift is built on top of go1.9.2 since the fix is in the go source. (same as https://bugzilla.redhat.com/show_bug.cgi?id=1515395#c2) Clayton, any idea when we're likely to start doing that? ocp is being built on golang 1.9.2 now, so this should be fixed. Honestly I don't think I can, maybe we can get some help from the originator, it sounds like a somewhat complicated setup w/ a proxy doing re-encryption. It might be sufficient to just point to registry.redhat.io but i'm not sure if it's still setup the way it was at the time this bug was filed. Jaroslav can you help our QE team understand how to validate that this is working now? Hi Sorry, i was off a few days. I will jump on this asap, will update you about the status. Keeping need-info on me till finish reproducer Thanks ! Jaroslav Spanko, hi any progress for reproducing this bug? thanks The simplest to implement reencrypting proxy is mitmproxy. I can probably create a key and cert having this issue. Then you should be able to test the correction? I use the mitmproxy image to setup proxy-- $ docker run --rm -it -p 8080:8080 mitmproxy/mitmproxy, then launch an openshift cluster behind this proxy, add the created certificate 'mitmproxy-ca.pem' into /etc/pki/ca-trust/source/anchors/ on each instance. But still cannot reproduce it, does someone can give some suggestions It will always fail... only with some certificates! To reproduce, you should have a certificate with the issue. I can try to create a certificate having the issue.... I think what cause the issue is a critical certificate extensions on the CA certificate, which was maybe not recognized by the go language.... My suspect: this extension on the CA... but I am not certain: nameconstraint: Autorisé=Aucun Exclus [1]Sous-arborescences (0..Max): Nom DNS=.ourdomain Tell me if I should try to create such certificate for you for testing. Marc Jadoul, Please provide a certificate to reproduce this issue, thanks a lot I tested and I can't reproduce the error either... the certificate did not apparently changed (but I do not have the old copy of it so I am not sure). The extension seems still there but not the issue. Or it has been solved already on my server.... even if it is still based on go 1.8.3..... $ docker version Client: Version: 1.12.6 API version: 1.24 Package version: docker-1.12.6-71.git3e8e77d.el7.x86_64 Go version: go1.8.3 I intended to only resign the bad certificate.... but I can't. Sorry.... Based on this: https://github.com/golang/go/issues/11091 I generated a new key and resigned the certificate. This certificate work with openssl, but not with docker.... But the error I get is NOT the same error. So I put the certificate here, but I supposes it is not the same issue.... I do not know what the initial issue with "unhandled critical extension" was and when/how it was fixed. I also do not know which fix is in go 1.9.2.... Created attachment 1403304 [details]
mitmproxy-ca.pem with wrong Boolean encoding
mitmproxy-ca.pem with wrong Boolean encoding which fail in GO but not in openssl.
But this is probably an other issue as the error message is not the same.
Replace this file in your .mitmproxy directory.
Marc Jadoul, thanks for your help. I have test with # docker version Client: Version: 1.12.6 API version: 1.24 Package version: docker-1.12.6-71.git3e8e77d.el7.x86_64 Go version: go1.8.3 Git commit: 3e8e77d/1.12.6 Built: Wed Dec 13 12:18:58 2017 OS/Arch: linux/amd64 could get error like below: Get https://registry.access.redhat.com/v1/_ping: tls: failed to parse certificate from server: asn1: syntax error: invalid boolean Refer to origin bug https://bugzilla.redhat.com/show_bug.cgi?id=1515395#c2 , I think it is related to docker if built of go 1.9 , not openshift. So change status to assigned. And maybe we also should change the target release to next version, not ocp 3.9 I took a look to initial links. The certificate I provided does trigger another unsolved go issue, which won't be solved. I will provide another certificate based on the one in https://go-review.googlesource.com/c/go/+/36900. Marc Created attachment 1406760 [details]
CA certificate for mithmproxy with critical name constraint extension with excluded domain.
This bug should trigger the previously existing bug in GO which was fixed in go 1.9.2.
Verified Launch an openshift cluster with docker # docker version Version: 1.13.1 API version: 1.26 Package version: docker-1.13.1-58.git87f2fab.el7.x86_64 Go version: go1.9.2 Git commit: 87f2fab/1.13.1 Built: Mon Mar 19 18:55:01 2018 OS/Arch: linux/amd64 cannot reproduce this error, so move this bug to verified |