Bug 1810036: Ensure service CA certs are created with unique serial numbers #110
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci-robot
added
the
bugzilla/invalid-bug
|
@marun: This pull request references Bugzilla bug 1810036, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
size/M
|
/bugzilla refresh |
openshift-ci-robot
added
the
bugzilla/valid-bug
|
@marun: This pull request references Bugzilla bug 1810036, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
removed
the
bugzilla/invalid-bug
marun
force-pushed
the
intermediate-ca-cert-serial
branch
from
a13db8d
to
60892b3
Compare
stlaz
reviewed
Mar 5, 2020
| // cert bundle that includes the issuing CA cert and an intermediate CA | ||
| // cert generated by this function - with the issuing CA cert as the | ||
| // target and the previous CA as the signer - will not result in | ||
| // SEC_ERROR_REUSED_ISSUER_AND_SERIAL when read by applications like curl. |
There was a problem hiding this comment.
for the record: this is not about curl, curl itself would happily work if it was compiled with a different crypto backend than NSS (the crypto backend that Mozilla develops and uses in its software). https://tools.ietf.org/html/rfc5280#section-4.1.2.2 requires the serial number to be unique for each certificate signed by the CA (which this intermediate CA cert is), and NSS crypto works better when performing these checks.
There was a problem hiding this comment.
I don't disagree, I was just pointing out the symptom that is being addressed by the change. The adherence to any given RFC varies according to implementation - golang doesn't care, but NSS does.
There was a problem hiding this comment.
Sure, my only point was - curl is not a good example as it's usually compiled with OpenSSL backend in most distributions that I've seen, so you wouldn't be able to observe the symptoms.
stlaz
requested changes
Mar 5, 2020
| if err != nil { | ||
| return nil, fmt.Errorf("failed to find next serial number: %v", err) | ||
| } | ||
| template.SerialNumber = big.NewInt(serial) |
There was a problem hiding this comment.
We'll need the same for the signing CA as well
|
/hold Need to ensure self-signed CA also has a unique serial. |
openshift-ci-robot
added
do-not-merge/hold
marun
changed the title
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
@marun: This pull request references Bugzilla bug 1810036, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
marun
force-pushed
the
intermediate-ca-cert-serial
branch
from
5bfa69e
to
7fc7f9f
Compare
openshift-ci-robot
removed
the
needs-rebase
|
/retest |
1 similar comment
|
/retest |
marun
force-pushed
the
intermediate-ca-cert-serial
branch
from
7fc7f9f
to
cc39375
Compare
marun
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
marun
force-pushed
the
intermediate-ca-cert-serial
branch
from
cc39375
to
33e65e8
Compare
marun
changed the title
|
@marun: This pull request references Bugzilla bug 1810036, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@stlaz Updated with library-go fix, PTAL. |
This change ensures that an intermediate CA cert is generated with a unique serial number so that serving cert bundles can be loaded without error. Previously, intermediate CA certs were created with the same serial number as their template. Since a serving cert bundle includes the issuing CA cert and an intermediate CA cert (created by signing the issuing CA cert with the previous CA's private key), this lack of serial number differentiation resulted in SEC_ERROR_REUSED_ISSUER_AND_SERIAL when the bundle was read by curl due to the issuing and intermediate CAs sharing the same issuer and serial number.
marun
force-pushed
the
intermediate-ca-cert-serial
branch
from
33e65e8
to
3517520
Compare
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@marun: All pull requests linked via external trackers have merged. Bugzilla bug 1810036 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.4 |
|
@marun: #110 failed to apply on top of branch "release-4.4": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This was referenced Mar 9, 2020
Merged
Merged
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
Also tombstone affected releases to avoid further channel promotion
for affected releases. Details on the bug:
* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
d9c73bb [3].
* 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator
e5a04d6 [6], which included library-go 3c25293 [7].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
[10], service-ca-operator dd7235b [11], which includes library-go
5844159 [12].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in
flight with [17,18]. [19] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
Also tombstone affected releases to avoid further channel promotion
for affected releases. Details on the bug:
* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
d9c73bb [3].
* 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator
e5a04d6 [6], which included library-go 3c25293 [7].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
[10], service-ca-operator dd7235b [11], which includes library-go
5844159 [12].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in
flight with [17,18]. [19] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
Also tombstone affected releases to avoid further channel promotion
for affected releases. Details on the bug:
* 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go
d9c73bb [3].
* 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator
e5a04d6 [6], which included library-go 3c25293 [7].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
* 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by
[10], service-ca-operator dd7235b [11], which includes library-go
5844159 [12].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
* 4.2: Introduced by [13], service-ca-operator 0324055 [14], which
includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in
flight with [17,18]. [19] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
* 4.1: Backport stream introducing the bug is still ASSIGNED [20], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[2]: openshift/service-ca-operator#110 (comment)
[3]: openshift/library-go#726 (comment)
[4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[6]: openshift/service-ca-operator#111 (comment)
[7]: openshift/library-go#728 (comment)
[8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[9]: openshift/service-ca-operator#104 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[11]: openshift/service-ca-operator#112 (comment)
[12]: openshift/library-go#729 (comment)
[13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[14]: openshift/service-ca-operator#105 (comment)
[15]: openshift/library-go#684 (comment)
[16]: openshift/api#577 (comment)
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[18]: openshift/service-ca-operator#113
[19]: openshift/library-go#730 (comment)
[20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no PR?). Fixed by [2], service-ca-operator
74b5ce2 [4], which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no PR?). Fixed by [7], service-ca-operator
e5a04d6 [7], which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4],
which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [7], service-ca-operator e5a04d6 [7],
which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
wking
added a commit
to wking/cincinnati-graph-data
that referenced
this pull request
Mar 18, 2020
…1810036
The bugs were introduced by the [1] series, and fixed by the
combination of [2,3]. This commit also tombstones affected releases
to avoid further channel promotion. Details on the bug:
* 4.5: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4],
which included library-go d9c73bb [5].
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
* 4.4: Introduced by [1] (no linked PR, so not sure exactly when it
was introduced). Fixed by [7], service-ca-operator e5a04d6 [7],
which included library-go 3c25293 [9].
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed
$ git --no-pager log -2 --first-parent --oneline origin/release-4.4
e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial
094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics
So both RCs are affected.
Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the
4.4/4.5 split.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy
oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381
So both RCs have OAuth fix, but neither has the service-ca-operator
fix.
* 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by
[12], service-ca-operator dd7235b [13], which includes library-go
5844159 [14].
Fix has not been released yet.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409
So this was introduced in 4.3.5 (there was no 4.3.4).
Fix also requires the OAuth proxy fix [15,16], which is still in
flight.
* 4.2: Introduced by [17], service-ca-operator 0324055 [18], which
includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in
flight with [21,22]. [23] has already landed with library-go
d58edcb.
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f
$ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator
service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e
So this was introduced in 4.2.22.
Fix also requires the OAuth proxy fix [24,25], which is still in
flight.
* 4.1: Backport stream introducing the bug is still ASSIGNED [26], so
no 4.1 impact yet.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573
[4]: openshift/service-ca-operator#110 (comment)
[5]: openshift/library-go#726 (comment)
[6]: openshift/oauth-proxy#152 (comment)
[7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418
[8]: openshift/service-ca-operator#111 (comment)
[9]: openshift/library-go#728 (comment)
[10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179
[11]: openshift/service-ca-operator#104 (comment)
[12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420
[13]: openshift/service-ca-operator#112 (comment)
[14]: openshift/library-go#729 (comment)
[15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253
[16]: openshift/oauth-proxy#160
[17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156
[18]: openshift/service-ca-operator#105 (comment)
[19]: openshift/library-go#684 (comment)
[20]: openshift/api#577 (comment)
[21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421
[22]: openshift/service-ca-operator#113
[23]: openshift/library-go#730 (comment)
[24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258
[25]: openshift/oauth-proxy#164
[26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change ensures that service CA certs are generated with a unique serial number so that serving cert bundles can be loaded without error. The library-go bump ensures that the signing CA will have a randomly-generated serial number and the operator change ensures that intermediate CAs will the same.
Previously, intermediate CA certs were created with the same serial number as their template. Since a serving cert bundle includes the issuing CA cert and an intermediate CA cert (created by signing the issuing CA cert with the previous CA's private key), this lack of serial number differentiation resulted in SEC_ERROR_REUSED_ISSUER_AND_SERIAL when the bundle was read by curl due to the issuing and intermediate CAs sharing the same issuer and serial number.