Bug 1289473 - atomic-openshift-master - error loading cert pool from ca file - x509: negative serial number
atomic-openshift-master - error loading cert pool from ca file - x509: negati...
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
Unspecified Linux
medium Severity high
: ---
: ---
Assigned To: Jordan Liggitt
weiwei jiang
Depends On: 1290472
  Show dependency treegraph
Reported: 2015-12-08 04:16 EST by Andrej Golis
Modified: 2017-03-08 13 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1290472 (view as bug list)
Last Closed: 2016-09-27 05:34:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2093821 None None None 2015-12-17 03:20 EST
Red Hat Product Errata RHBA-2016:1933 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 09:24:36 EDT

  None (edit)
Description Andrej Golis 2015-12-08 04:16:14 EST
Description of problem:

atomic-openshift-master service fails to start due to a negative serial number in CA certificate, which is needed for LDAPS authentication.

This is set up in ansible installer:

openshift_master_identity_providers: [{'name': 'my_ldap_provider',
'challenge': 'true', 'login': 'true', 'kind':
'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email':
['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '',
'bindPassword': '', 'ca': '/etc/pki/tls/certs/ca-bundle.crt',
'insecure': 'false', 'url':

Steps to Reproduce:

systemctl start atomic-openshift-master

Actual results:

atomic-openshift-master[8827]: F1207 12:55:23.250834 8827
auth.go:114] error loading cert pool from ca file
/etc/pki/tls/certs/ca-bundle.crt: error reading
/etc/pki/tls/certs/ca-bundle.crt: x509: negative serial number

Expected results:

atomic-openshift-master starts successfully

Additional info:

Comment 1 Jordan Liggitt 2015-12-10 09:43:40 EST
Do we need a separate bz to track packaging the golang fix?
Comment 2 Jordan Liggitt 2015-12-10 09:45:42 EST
Jakub, what do we need to do to pick up the fix for https://github.com/golang/go/issues/8265 in 1.4.x and 1.5.x streams?
Comment 3 Jordan Liggitt 2015-12-10 10:43:46 EST
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1290472 to track picking up the fix for RHEL
Comment 4 Jakub Čajka 2015-12-10 11:37:16 EST
Asked upstream in the issue 8265, if it is possible to include the fix in next minor release(if it is what you meant).

Do you need a fix in Fedora? (Even if not, Fedora BZ would be nice :).)
Comment 5 Jordan Liggitt 2015-12-10 11:38:12 EST
Yes, fix is probably needed in fedora as well. Should I clone the BZ to fedora?
Comment 6 Jakub Čajka 2015-12-10 11:42:20 EST
Yes, please.

Comment 8 weiwei jiang 2016-07-22 04:25:18 EDT
Checked with atomic-openshift-, and the bug has been fixed. So move to verified.
Comment 10 errata-xmlrpc 2016-09-27 05:34:31 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.