Description of problem: atomic-openshift-master service fails to start due to a negative serial number in CA certificate, which is needed for LDAPS authentication. This is set up in ansible installer: openshift_master_identity_providers: [{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '/etc/pki/tls/certs/ca-bundle.crt', 'insecure': 'false', 'url': 'ldap://ldap.example.com/ou=users,dc=example,dc=com?uid'}] Steps to Reproduce: systemctl start atomic-openshift-master Actual results: atomic-openshift-master[8827]: F1207 12:55:23.250834 8827 auth.go:114] error loading cert pool from ca file /etc/pki/tls/certs/ca-bundle.crt: error reading /etc/pki/tls/certs/ca-bundle.crt: x509: negative serial number Expected results: atomic-openshift-master starts successfully Additional info: https://github.com/golang/go/issues/8265
Do we need a separate bz to track packaging the golang fix?
Jakub, what do we need to do to pick up the fix for https://github.com/golang/go/issues/8265 in 1.4.x and 1.5.x streams?
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1290472 to track picking up the fix for RHEL
Asked upstream in the issue 8265, if it is possible to include the fix in next minor release(if it is what you meant). Do you need a fix in Fedora? (Even if not, Fedora BZ would be nice :).)
Yes, fix is probably needed in fedora as well. Should I clone the BZ to fedora?
Yes, please. Thanks
Checked with atomic-openshift-3.3.0.8-1.git.0.42a01e6.el7.x86_64, and the bug has been fixed. So move to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1933