Description of problem: While installing OpenShift 4.4 in restricted mode with FIPS enabled. The mirror registry is presenting a certificate. When the bootkube tries pulling image from the mirror registry, it gives the following error message - ~~~ release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: unable to pull image: Error initializing source docker://quay.io/openshift-release-dev/ocp-release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: (Mirrors also failed: [ldtdsr000003443.etf.barcapetf.com:3000/ocp4/openshift4@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: error pinging docker registry ldtdsr000003443.etf.barcapetf.com:3000: Get https://ldtdsr000003443.etf.barcapetf.com:3000/v2/: x509: certificate specifies an incompatible key usage]): quay.io/openshift-release-dev/ocp-release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: error pinging docker registry quay.io: Get https://quay.io/v2/: dial tcp 3.232.240.223:443: i/o timeout ~~~ It says `x509: certificate specifies an incompatible key usage`. The Key Usage in the certificate presented by the mirror registry is - ~~~ X509v3 Key Usage: critical Digital Signature, Key Encipherment ~~~ It works with FIPS disabled. Key Usage from quay.io - ~~~ X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment ~~~ How this issue can be mitigated? Which Key Usage is not compatible with FIPS?
There seems to be an older bug with similar symptoms: https://bugzilla.redhat.com/show_bug.cgi?id=1731550
The probable cause is certificates with 4096 bits RSA keys, which is too long (!) for whatever Go library is in use. It should have been patched in https://bugzilla.redhat.com/show_bug.cgi?id=1731550 though..
4.4 install issues should not block 4.6 going GA. Punting to 4.7. Any fixes may be backported to earlier releases.
Hello Team, The issue was that the Private key size, it was less than 2048. When used a certificate with 2048 bits key, the issue was resolved.