1878779 – Certificate not compatible with FIPS

Bug 1878779 - Certificate not compatible with FIPS

Summary: Certificate not compatible with FIPS

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Beth White
QA Contact:	Amit Ugol
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-14 13:51 UTC by Anshul Verma
Modified:	2020-10-01 09:17 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-01 09:17:51 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Anshul Verma 2020-09-14 13:51:07 UTC

Description of problem:

While installing OpenShift 4.4 in restricted mode with FIPS enabled. The mirror registry is presenting a certificate.
When the bootkube tries pulling image from the mirror registry, it gives the following error message -
~~~
release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: unable to pull image: Error initializing source docker://quay.io/openshift-release-dev/ocp-release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: (Mirrors also failed: [ldtdsr000003443.etf.barcapetf.com:3000/ocp4/openshift4@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: error pinging docker registry ldtdsr000003443.etf.barcapetf.com:3000: Get https://ldtdsr000003443.etf.barcapetf.com:3000/v2/: x509: certificate specifies an incompatible key usage]): quay.io/openshift-release-dev/ocp-release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: error pinging docker registry quay.io: Get https://quay.io/v2/: dial tcp 3.232.240.223:443: i/o timeout
~~~

It says `x509: certificate specifies an incompatible key usage`.

The Key Usage in the certificate presented by the mirror registry is -
~~~
           X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
~~~
It works with FIPS disabled.

Key Usage from quay.io -
~~~
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
~~~

How this issue can be mitigated?
Which Key Usage is not compatible with FIPS?

Comment 4 Dmitry Tantsur 2020-09-22 15:42:26 UTC

There seems to be an older bug with similar symptoms: https://bugzilla.redhat.com/show_bug.cgi?id=1731550

Comment 5 Dmitry Tantsur 2020-09-22 15:44:51 UTC

The probable cause is certificates with 4096 bits RSA keys, which is too long (!) for whatever Go library is in use. It should have been patched in https://bugzilla.redhat.com/show_bug.cgi?id=1731550 though..

Comment 6 W. Trevor King 2020-09-23 22:25:31 UTC

4.4 install issues should not block 4.6 going GA.  Punting to 4.7.  Any fixes may be backported to earlier releases.

Comment 7 Anshul Verma 2020-09-30 17:30:28 UTC

Hello Team,

The issue was that the Private key size, it was less than 2048. When used a certificate with 2048 bits key, the issue was resolved.

Note You need to log in before you can comment on or make changes to this bug.