Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1997337

Summary: [docs] api server certs are not updated to include a SAN when upgrading from 4.5
Product: OpenShift Container Platform Reporter: Kazuhisa Hara <kahara>
Component: DocumentationAssignee: Chinmayi Chandrasekhar <cchandra>
Status: CLOSED CURRENTRELEASE QA Contact: liyao
Severity: medium Docs Contact: Latha S <lmurthy>
Priority: medium    
Version: 4.6CC: aos-bugs, aos-install, aos-team-ota, aygarg, bleanhar, cchandra, faltahe, gekulkar, jhixson, jialiu, jokerman, kahara, lmurthy, mbagga, mfojtik, mstaeble, wking, yaoli, yinzhou
Target Milestone: ---Keywords: Reopened
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1889204 Environment:
Last Closed: 2021-10-05 16:15:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1889204    
Bug Blocks:    

Comment 2 Chinmayi Chandrasekhar 2021-09-08 10:52:25 UTC 
@kahara: In the 4.6 Release Notes, I see the following under deprecated features:

The behavior of falling back to the Common Name field on X.509 certificates as a host name when no Subject Alternative Names are present is deprecated. In a future release, this behavior will be removed, and certificates must properly set the Subject Alternative Names field.

In 4.7+ versions, it is completely removed from the Release Notes document. Do you want it to be included back under the removed features heading? What is the exact update needed in the Release Notes document for 4.6+?
Comment 3 Kazuhisa Hara 2021-09-08 11:35:11 UTC 
Hello Chinmayi,

> What is the exact update needed in the Release Notes document for 4.6+?

From the discussion in BZ#1889204, it seems that registries with non-SANs certificates are "already can't use" rather than just "deprecated"  at 4.6.
If this is a specification, we should state that it does not work, not "deprecated".

Would you please confirm it as Eng/QE and update the documentation?


(In reply to Chinmayi Chandrasekhar from comment #2)
> @kahara: In the 4.6 Release Notes, I see the following under
> deprecated features:
> 
> The behavior of falling back to the Common Name field on X.509 certificates
> as a host name when no Subject Alternative Names are present is deprecated.
> In a future release, this behavior will be removed, and certificates must
> properly set the Subject Alternative Names field.
> 
> In 4.7+ versions, it is completely removed from the Release Notes document.
> Do you want it to be included back under the removed features heading? What
> is the exact update needed in the Release Notes document for 4.6+?
Comment 4 Chinmayi Chandrasekhar 2021-09-14 11:52:52 UTC 
PR associated with the fix: https://github.com/openshift/openshift-docs/pull/36324