Bug 2037272

Summary: [4.10 placeholder only to make BZ robot happy] legacy certificates missing SAN entries render the cluster dysfunctional
Product: OpenShift Container Platform Reporter: Sergiusz Urbaniak <surbania>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED NOTABUG QA Contact: Xingxing Xia <xxia>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.9CC: aos-bugs, mfojtik, surbania
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2037274 (view as bug list) Environment:
Last Closed: 2022-01-05 11:01:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergiusz Urbaniak 2022-01-05 11:00:02 UTC 
Starting with Go 1.17 support for invalid certificates is going to be removed, see https://go.dev/doc/go1.17. This means that legacy certificates not having a SAN field but relying on the CN field will not be accepted by Go 1.17 based TLS clients any more.

The temporary `GODEBUG=x509ignoreCN=0` environment variable has been removed as of Go 1.17.
Comment 1 Sergiusz Urbaniak 2022-01-05 11:01:43 UTC 
Closing as with CURRENTRELEASE resolution as we can only implement preventive fixes in 4.9 only.