Description of problem:
Pull image failed with x509 error when enable fips on rhcos node server
Version-Release number of selected component (if applicable):
4.2.0-0.nightly-2019-07-18-235010
Red Hat Enterprise Linux CoreOS 420.8.20190718.1 (Ootpa)
How reproducible:
always
Steps to Reproduce:
1.enable fips mode on rhcos node server
2.pull image from quay, such as:
# crictl pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15481cb3cc1993b5e4d02ee5a7848690bf48373606590dc543eb671589b544b5
Actual results:
# crictl pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15481cb3cc1993b5e4d02ee5a7848690bf48373606590dc543eb671589b544b5
FATA[0000] pulling image failed: rpc error: code = Unknown desc = pinging docker registry returned: Get https://quay.io/v2/: x509: certificate specifies an incompatible key usage
Expected results:
pull successful with no error
Additional info:
image pull successful when disable fips on rhcos node
Sending to Quay as they will have to change the cert on their side to be FIPS compliant.
FIPS support is smoke test for 4.2 (trying to find the issues) and something we might support in 4.3. We do want to address this for 4.3.