Bug 1874278 - HAProxy reloads fail on "unable to load SSL certificate from PEM file '/var/lib/haproxy/conf/default_pub_keys.pem'".
Summary: HAProxy reloads fail on "unable to load SSL certificate from PEM file '/var/l...
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.6.0
Assignee: Stephen Greene
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-31 21:20 UTC by Stephen Greene
Modified: 2020-09-08 07:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift router pull 178 None closed Bug 1874278: Drop openssl to SECLEVEL=1 in Dockerfile 2020-09-14 15:49:42 UTC

Description Stephen Greene 2020-08-31 21:20:53 UTC
Router CI is currently broken on the router e2e job.

A subset of the router e2e tests are failing. Log files would suggest that the e2e router pods are not able to load the default cert baked into the router image.


[ALERT] 243/205744 (21) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : unable to load SSL certificate from PEM file '/var/lib/haproxy/conf/default_pub_keys.pem'.
[ALERT] 243/205744 (21) : parsing [/var/lib/haproxy/conf/haproxy.config:153] : 'bind 127.0.0.1:10443' : unable to load SSL certificate from PEM file '/var/lib/haproxy/conf/default_pub_keys.pem'.
[ALERT] 243/205744 (21) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 243/205744 (21) : Fatal errors found in configuration.

The router e2e jobs depend on the default cert in the image to run properly.

This may be related to recent base image changes through ART. 


How reproducible: 
100%, see router CI jobs.
https://prow.ci.openshift.org/pr-history?org=openshift&repo=router&pr=170

Reproduce outside of CI:

Launch a 4.6 cluster bot cluster with a reference to a router PR

ie

launch openshift/router#170 gcp

Comment 3 Arvind iyengar 2020-09-08 07:51:49 UTC
Verified in the latest "4.6.0-0.ci-2020-09-04-224216" payload. The environment now includes "SECLEVEL=1" for the SSL:
----
$ oc get clusterversion
NAME      VERSION                        AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.ci-2020-09-04-224216   True        False         39m     Cluster version is 4.6.0-0.ci-2020-09-04-224216

sh-4.4$ cat /etc/crypto-policies/back-ends/openssl
openssl.config     opensslcnf.config  

sh-4.4$ cat /etc/crypto-policies/back-ends/opensslcnf.config 
CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
----


Note You need to log in before you can comment on or make changes to this bug.