Description of problem:
Unable to to log into a OpenShift 3.11 cluster with custom certificates configured (issued by intermediate CA, while root CA cert is trusted by a client's computer) because the oc tool does not trust server's certificate due to presence of Trust Settings (https://www.openssl.org/docs/manmaster/man1/x509.html#TRUST_SETTINGS) in the CA cert.

The MS AD-based CAs DO have such field in their certs.



Version-Release number of selected component (if applicable):
v3.11.98


How reproducible:
Use custom certificates for publicUrl issued by CA with Trust Settings in the their certificate.


Actual results:
# Try to login to the cluster
uzer@mgmt-host:~$ oc login https://os.corp.org:8443 --token=XXX --certificate-authority=${HOME}/git/openshift-oscp-config/corpRootCA.pem
The server uses a certificate signed by an unknown authority.

# Strip Trust Settings from CA cert
openssl x509 -in ${HOME}/git/openshift-oscp-config/corpRootCA.pem -out ${HOME}/git/openshift-oscp-config/corpRootCA.clean.pem

# Try to login to the cluster again
uzer@mgmt-host:~$ oc login https://os.corp.org:8443 --token=XXX --certificate-authority=${HOME}/git/openshift-oscp-config/corpRootCA.clean.pem

Authentication required for https://os.corp.org:8443 (openshift)
Username:


Expected results:
Successful login request.


Additional info:
The problem is not openshift specific but rather a golang-based wide one and connected with crypto/tls library. Additional info is available at https://github.com/golang/go/issues/31881