Bug 1878779 - Certificate not compatible with FIPS
Summary: Certificate not compatible with FIPS
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Beth White
QA Contact: Amit Ugol
Depends On:
TreeView+ depends on / blocked
Reported: 2020-09-14 13:51 UTC by Anshul Verma
Modified: 2020-10-01 09:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-01 09:17:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Anshul Verma 2020-09-14 13:51:07 UTC
Description of problem:

While installing OpenShift 4.4 in restricted mode with FIPS enabled. The mirror registry is presenting a certificate.
When the bootkube tries pulling image from the mirror registry, it gives the following error message -
release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: unable to pull image: Error initializing source docker://quay.io/openshift-release-dev/ocp-release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: (Mirrors also failed: [ldtdsr000003443.etf.barcapetf.com:3000/ocp4/openshift4@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: error pinging docker registry ldtdsr000003443.etf.barcapetf.com:3000: Get https://ldtdsr000003443.etf.barcapetf.com:3000/v2/: x509: certificate specifies an incompatible key usage]): quay.io/openshift-release-dev/ocp-release@sha256:d0f3b8dae00e0a5574af01fa927f7fb2a835495887566140274ae1ab227cbdf0: error pinging docker registry quay.io: Get https://quay.io/v2/: dial tcp i/o timeout

It says `x509: certificate specifies an incompatible key usage`.

The Key Usage in the certificate presented by the mirror registry is -
           X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
It works with FIPS disabled.

Key Usage from quay.io -
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment

How this issue can be mitigated?
Which Key Usage is not compatible with FIPS?

Comment 4 Dmitry Tantsur 2020-09-22 15:42:26 UTC
There seems to be an older bug with similar symptoms: https://bugzilla.redhat.com/show_bug.cgi?id=1731550

Comment 5 Dmitry Tantsur 2020-09-22 15:44:51 UTC
The probable cause is certificates with 4096 bits RSA keys, which is too long (!) for whatever Go library is in use. It should have been patched in https://bugzilla.redhat.com/show_bug.cgi?id=1731550 though..

Comment 6 W. Trevor King 2020-09-23 22:25:31 UTC
4.4 install issues should not block 4.6 going GA.  Punting to 4.7.  Any fixes may be backported to earlier releases.

Comment 7 Anshul Verma 2020-09-30 17:30:28 UTC
Hello Team,

The issue was that the Private key size, it was less than 2048. When used a certificate with 2048 bits key, the issue was resolved.

Note You need to log in before you can comment on or make changes to this bug.