Bug 1289473 - atomic-openshift-master - error loading cert pool from ca file - x509: negative serial number
Summary: atomic-openshift-master - error loading cert pool from ca file - x509: negati...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.1.0
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On: 1290472
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-08 09:16 UTC by Andrej Golis
Modified: 2019-09-12 09:30 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1290472 (view as bug list)
Environment:
Last Closed: 2016-09-27 09:34:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2093821 0 None None None 2015-12-17 08:20:19 UTC
Red Hat Product Errata RHBA-2016:1933 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.3 Release Advisory 2016-09-27 13:24:36 UTC

Description Andrej Golis 2015-12-08 09:16:14 UTC 
Description of problem:

atomic-openshift-master service fails to start due to a negative serial number in CA certificate, which is needed for LDAPS authentication.

This is set up in ansible installer:

openshift_master_identity_providers: [{'name': 'my_ldap_provider',
'challenge': 'true', 'login': 'true', 'kind':
'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email':
['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '',
'bindPassword': '', 'ca': '/etc/pki/tls/certs/ca-bundle.crt',
'insecure': 'false', 'url':
'ldap://ldap.example.com/ou=users,dc=example,dc=com?uid'}]

Steps to Reproduce:

systemctl start atomic-openshift-master

Actual results:

atomic-openshift-master[8827]: F1207 12:55:23.250834 8827
auth.go:114] error loading cert pool from ca file
/etc/pki/tls/certs/ca-bundle.crt: error reading
/etc/pki/tls/certs/ca-bundle.crt: x509: negative serial number

Expected results:

atomic-openshift-master starts successfully

Additional info:

https://github.com/golang/go/issues/8265
Comment 1 Jordan Liggitt 2015-12-10 14:43:40 UTC 
Do we need a separate bz to track packaging the golang fix?
Comment 2 Jordan Liggitt 2015-12-10 14:45:42 UTC 
Jakub, what do we need to do to pick up the fix for https://github.com/golang/go/issues/8265 in 1.4.x and 1.5.x streams?
Comment 3 Jordan Liggitt 2015-12-10 15:43:46 UTC 
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1290472 to track picking up the fix for RHEL
Comment 4 Jakub Čajka 2015-12-10 16:37:16 UTC 
Asked upstream in the issue 8265, if it is possible to include the fix in next minor release(if it is what you meant).

Do you need a fix in Fedora? (Even if not, Fedora BZ would be nice :).)
Comment 5 Jordan Liggitt 2015-12-10 16:38:12 UTC 
Yes, fix is probably needed in fedora as well. Should I clone the BZ to fedora?
Comment 6 Jakub Čajka 2015-12-10 16:42:20 UTC 
Yes, please.

Thanks
Comment 8 weiwei jiang 2016-07-22 08:25:18 UTC 
Checked with atomic-openshift-3.3.0.8-1.git.0.42a01e6.el7.x86_64, and the bug has been fixed. So move to verified.
Comment 10 errata-xmlrpc 2016-09-27 09:34:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1933
Note You need to log in before you can comment on or make changes to this bug.