New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1810036: Ensure service CA certs are created with unique serial numbers #110
Bug 1810036: Ensure service CA certs are created with unique serial numbers #110
Conversation
@marun: This pull request references Bugzilla bug 1810036, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@marun: This pull request references Bugzilla bug 1810036, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
a13db8d
to
60892b3
Compare
// cert bundle that includes the issuing CA cert and an intermediate CA | ||
// cert generated by this function - with the issuing CA cert as the | ||
// target and the previous CA as the signer - will not result in | ||
// SEC_ERROR_REUSED_ISSUER_AND_SERIAL when read by applications like curl. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the record: this is not about curl, curl itself would happily work if it was compiled with a different crypto backend than NSS (the crypto backend that Mozilla develops and uses in its software). https://tools.ietf.org/html/rfc5280#section-4.1.2.2 requires the serial number to be unique for each certificate signed by the CA (which this intermediate CA cert is), and NSS crypto works better when performing these checks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't disagree, I was just pointing out the symptom that is being addressed by the change. The adherence to any given RFC varies according to implementation - golang doesn't care, but NSS does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, my only point was - curl is not a good example as it's usually compiled with OpenSSL backend in most distributions that I've seen, so you wouldn't be able to observe the symptoms.
if err != nil { | ||
return nil, fmt.Errorf("failed to find next serial number: %v", err) | ||
} | ||
template.SerialNumber = big.NewInt(serial) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll need the same for the signing CA as well
/hold Need to ensure self-signed CA also has a unique serial. |
@marun: This pull request references Bugzilla bug 1810036, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5bfa69e
to
7fc7f9f
Compare
/retest |
1 similar comment
/retest |
7fc7f9f
to
cc39375
Compare
/hold cancel |
cc39375
to
33e65e8
Compare
@marun: This pull request references Bugzilla bug 1810036, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@stlaz Updated with library-go fix, PTAL. |
This change ensures that an intermediate CA cert is generated with a unique serial number so that serving cert bundles can be loaded without error. Previously, intermediate CA certs were created with the same serial number as their template. Since a serving cert bundle includes the issuing CA cert and an intermediate CA cert (created by signing the issuing CA cert with the previous CA's private key), this lack of serial number differentiation resulted in SEC_ERROR_REUSED_ISSUER_AND_SERIAL when the bundle was read by curl due to the issuing and intermediate CAs sharing the same issuer and serial number.
33e65e8
to
3517520
Compare
/retest |
1 similar comment
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
@marun: All pull requests linked via external trackers have merged. Bugzilla bug 1810036 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.4 |
@marun: #110 failed to apply on top of branch "release-4.4":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…1810036 Also tombstone affected releases to avoid further channel promotion for affected releases. Details on the bug: * 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go d9c73bb [3]. * 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator e5a04d6 [6], which included library-go 3c25293 [7]. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ git --no-pager log -2 --first-parent --oneline origin/release-4.4 e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial 094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics So both RCs are affected. * 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by [10], service-ca-operator dd7235b [11], which includes library-go 5844159 [12]. Fix has not been released yet. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409 So this was introduced in 4.3.5 (there was no 4.3.4). * 4.2: Introduced by [13], service-ca-operator 0324055 [14], which includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in flight with [17,18]. [19] has already landed with library-go d58edcb. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e So this was introduced in 4.2.22. * 4.1: Backport stream introducing the bug is still ASSIGNED [20], so no 4.1 impact yet. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036 [2]: openshift/service-ca-operator#110 (comment) [3]: openshift/library-go#726 (comment) [4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418 [6]: openshift/service-ca-operator#111 (comment) [7]: openshift/library-go#728 (comment) [8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179 [9]: openshift/service-ca-operator#104 (comment) [10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420 [11]: openshift/service-ca-operator#112 (comment) [12]: openshift/library-go#729 (comment) [13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156 [14]: openshift/service-ca-operator#105 (comment) [15]: openshift/library-go#684 (comment) [16]: openshift/api#577 (comment) [17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421 [18]: openshift/service-ca-operator#113 [19]: openshift/library-go#730 (comment) [20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
…1810036 Also tombstone affected releases to avoid further channel promotion for affected releases. Details on the bug: * 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go d9c73bb [3]. * 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator e5a04d6 [6], which included library-go 3c25293 [7]. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ git --no-pager log -2 --first-parent --oneline origin/release-4.4 e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial 094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics So both RCs are affected. * 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by [10], service-ca-operator dd7235b [11], which includes library-go 5844159 [12]. Fix has not been released yet. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409 So this was introduced in 4.3.5 (there was no 4.3.4). * 4.2: Introduced by [13], service-ca-operator 0324055 [14], which includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in flight with [17,18]. [19] has already landed with library-go d58edcb. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e So this was introduced in 4.2.22. * 4.1: Backport stream introducing the bug is still ASSIGNED [20], so no 4.1 impact yet. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036 [2]: openshift/service-ca-operator#110 (comment) [3]: openshift/library-go#726 (comment) [4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418 [6]: openshift/service-ca-operator#111 (comment) [7]: openshift/library-go#728 (comment) [8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179 [9]: openshift/service-ca-operator#104 (comment) [10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420 [11]: openshift/service-ca-operator#112 (comment) [12]: openshift/library-go#729 (comment) [13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156 [14]: openshift/service-ca-operator#105 (comment) [15]: openshift/library-go#684 (comment) [16]: openshift/api#577 (comment) [17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421 [18]: openshift/service-ca-operator#113 [19]: openshift/library-go#730 (comment) [20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
…1810036 Also tombstone affected releases to avoid further channel promotion for affected releases. Details on the bug: * 4.5: Fixed by [1], service-ca-operator 74b5ce2 [2], which included library-go d9c73bb [3]. * 4.4: Introduced by [4] (no PR?). Fixed by [5], service-ca-operator e5a04d6 [6], which included library-go 3c25293 [7]. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ git --no-pager log -2 --first-parent --oneline origin/release-4.4 e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial 094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics So both RCs are affected. * 4.3: Introduced by [8], service-ca-operator 8395d65 [9]. Fixed by [10], service-ca-operator dd7235b [11], which includes library-go 5844159 [12]. Fix has not been released yet. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409 So this was introduced in 4.3.5 (there was no 4.3.4). * 4.2: Introduced by [13], service-ca-operator 0324055 [14], which includes library-go 2cf86bb [15] and API 8ce0047 [16]. Fix in flight with [17,18]. [19] has already landed with library-go d58edcb. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e So this was introduced in 4.2.22. * 4.1: Backport stream introducing the bug is still ASSIGNED [20], so no 4.1 impact yet. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036 [2]: openshift/service-ca-operator#110 (comment) [3]: openshift/library-go#726 (comment) [4]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418 [6]: openshift/service-ca-operator#111 (comment) [7]: openshift/library-go#728 (comment) [8]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179 [9]: openshift/service-ca-operator#104 (comment) [10]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420 [11]: openshift/service-ca-operator#112 (comment) [12]: openshift/library-go#729 (comment) [13]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156 [14]: openshift/service-ca-operator#105 (comment) [15]: openshift/library-go#684 (comment) [16]: openshift/api#577 (comment) [17]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421 [18]: openshift/service-ca-operator#113 [19]: openshift/library-go#730 (comment) [20]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
…1810036 The bugs were introduced by the [1] series, and fixed by the combination of [2,3]. This commit also tombstones affected releases to avoid further channel promotion. Details on the bug: * 4.5: Introduced by [1] (no PR?). Fixed by [2], service-ca-operator 74b5ce2 [4], which included library-go d9c73bb [5]. Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the 4.4/4.5 split. * 4.4: Introduced by [1] (no PR?). Fixed by [7], service-ca-operator e5a04d6 [7], which included library-go 3c25293 [9]. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ git --no-pager log -2 --first-parent --oneline origin/release-4.4 e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial 094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics So both RCs are affected. Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the 4.4/4.5 split. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381 $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381 So both RCs have OAuth fix, but neither has the service-ca-operator fix. * 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by [12], service-ca-operator dd7235b [13], which includes library-go 5844159 [14]. Fix has not been released yet. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409 So this was introduced in 4.3.5 (there was no 4.3.4). Fix also requires the OAuth proxy fix [15,16], which is still in flight. * 4.2: Introduced by [17], service-ca-operator 0324055 [18], which includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in flight with [21,22]. [23] has already landed with library-go d58edcb. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e So this was introduced in 4.2.22. Fix also requires the OAuth proxy fix [24,25], which is still in flight. * 4.1: Backport stream introducing the bug is still ASSIGNED [26], so no 4.1 impact yet. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121 [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036 [3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573 [4]: openshift/service-ca-operator#110 (comment) [5]: openshift/library-go#726 (comment) [6]: openshift/oauth-proxy#152 (comment) [7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418 [8]: openshift/service-ca-operator#111 (comment) [9]: openshift/library-go#728 (comment) [10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179 [11]: openshift/service-ca-operator#104 (comment) [12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420 [13]: openshift/service-ca-operator#112 (comment) [14]: openshift/library-go#729 (comment) [15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253 [16]: openshift/oauth-proxy#160 [17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156 [18]: openshift/service-ca-operator#105 (comment) [19]: openshift/library-go#684 (comment) [20]: openshift/api#577 (comment) [21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421 [22]: openshift/service-ca-operator#113 [23]: openshift/library-go#730 (comment) [24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258 [25]: openshift/oauth-proxy#164 [26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
…1810036 The bugs were introduced by the [1] series, and fixed by the combination of [2,3]. This commit also tombstones affected releases to avoid further channel promotion. Details on the bug: * 4.5: Introduced by [1] (no linked PR, so not sure exactly when it was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4], which included library-go d9c73bb [5]. Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the 4.4/4.5 split. * 4.4: Introduced by [1] (no linked PR, so not sure exactly when it was introduced). Fixed by [7], service-ca-operator e5a04d6 [7], which included library-go 3c25293 [9]. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ git --no-pager log -2 --first-parent --oneline origin/release-4.4 e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial 094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics So both RCs are affected. Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the 4.4/4.5 split. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381 $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381 So both RCs have OAuth fix, but neither has the service-ca-operator fix. * 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by [12], service-ca-operator dd7235b [13], which includes library-go 5844159 [14]. Fix has not been released yet. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409 So this was introduced in 4.3.5 (there was no 4.3.4). Fix also requires the OAuth proxy fix [15,16], which is still in flight. * 4.2: Introduced by [17], service-ca-operator 0324055 [18], which includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in flight with [21,22]. [23] has already landed with library-go d58edcb. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e So this was introduced in 4.2.22. Fix also requires the OAuth proxy fix [24,25], which is still in flight. * 4.1: Backport stream introducing the bug is still ASSIGNED [26], so no 4.1 impact yet. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121 [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036 [3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573 [4]: openshift/service-ca-operator#110 (comment) [5]: openshift/library-go#726 (comment) [6]: openshift/oauth-proxy#152 (comment) [7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418 [8]: openshift/service-ca-operator#111 (comment) [9]: openshift/library-go#728 (comment) [10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179 [11]: openshift/service-ca-operator#104 (comment) [12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420 [13]: openshift/service-ca-operator#112 (comment) [14]: openshift/library-go#729 (comment) [15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253 [16]: openshift/oauth-proxy#160 [17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156 [18]: openshift/service-ca-operator#105 (comment) [19]: openshift/library-go#684 (comment) [20]: openshift/api#577 (comment) [21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421 [22]: openshift/service-ca-operator#113 [23]: openshift/library-go#730 (comment) [24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258 [25]: openshift/oauth-proxy#164 [26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
…1810036 The bugs were introduced by the [1] series, and fixed by the combination of [2,3]. This commit also tombstones affected releases to avoid further channel promotion. Details on the bug: * 4.5: Introduced by [1] (no linked PR, so not sure exactly when it was introduced). Fixed by [2], service-ca-operator 74b5ce2 [4], which included library-go d9c73bb [5]. Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the 4.4/4.5 split. * 4.4: Introduced by [1] (no linked PR, so not sure exactly when it was introduced). Fixed by [7], service-ca-operator e5a04d6 [7], which included library-go 3c25293 [9]. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 094a9ad02dbe3bcb57d5fbad301cfcfcd48bd2ed $ git --no-pager log -2 --first-parent --oneline origin/release-4.4 e5a04d6a (origin/release-4.4) Merge pull request openshift#111 from marun/4.4-unique-ca-serial 094a9ad0 Merge pull request #95 from vareti/signer-ca-metrics So both RCs are affected. Also fixed by [3], oauth-proxy 3d0621e [6], which landed before the 4.4/4.5 split. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.0-x86_64 | grep oauth-proxy oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381 $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.4.0-rc.1-x86_64 | grep oauth-proxy oauth-proxy https://github.com/openshift/oauth-proxy 3d0621eb72c9dd1c036505363032468a9016f381 So both RCs have OAuth fix, but neither has the service-ca-operator fix. * 4.3: Introduced by [10], service-ca-operator 8395d65 [11]. Fixed by [12], service-ca-operator dd7235b [13], which includes library-go 5844159 [14]. Fix has not been released yet. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.3-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 774c394da334dec446703545d4baaf89611ccb9d $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 8395d65888b0a4249277989f18ee03f45383e409 So this was introduced in 4.3.5 (there was no 4.3.4). Fix also requires the OAuth proxy fix [15,16], which is still in flight. * 4.2: Introduced by [17], service-ca-operator 0324055 [18], which includes library-go 2cf86bb [19] and API 8ce0047 [20]. Fix in flight with [21,22]. [23] has already landed with library-go d58edcb. $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.21-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator f6720573b9b63147436374e51e6fda44683b1e9f $ oc adm release info --commits quay.io/openshift-release-dev/ocp-release:4.2.22-x86_64 | grep service-ca-operator service-ca-operator https://github.com/openshift/service-ca-operator 0324055c3bad3a857dcf3471c024bf42c20d549e So this was introduced in 4.2.22. Fix also requires the OAuth proxy fix [24,25], which is still in flight. * 4.1: Backport stream introducing the bug is still ASSIGNED [26], so no 4.1 impact yet. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1774121 [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1810036 [3]: https://bugzilla.redhat.com/show_bug.cgi?id=1801573 [4]: openshift/service-ca-operator#110 (comment) [5]: openshift/library-go#726 (comment) [6]: openshift/oauth-proxy#152 (comment) [7]: https://bugzilla.redhat.com/show_bug.cgi?id=1810418 [8]: openshift/service-ca-operator#111 (comment) [9]: openshift/library-go#728 (comment) [10]: https://bugzilla.redhat.com/show_bug.cgi?id=1788179 [11]: openshift/service-ca-operator#104 (comment) [12]: https://bugzilla.redhat.com/show_bug.cgi?id=1810420 [13]: openshift/service-ca-operator#112 (comment) [14]: openshift/library-go#729 (comment) [15]: https://bugzilla.redhat.com/show_bug.cgi?id=1809253 [16]: openshift/oauth-proxy#160 [17]: https://bugzilla.redhat.com/show_bug.cgi?id=1774156 [18]: openshift/service-ca-operator#105 (comment) [19]: openshift/library-go#684 (comment) [20]: openshift/api#577 (comment) [21]: https://bugzilla.redhat.com/show_bug.cgi?id=1810421 [22]: openshift/service-ca-operator#113 [23]: openshift/library-go#730 (comment) [24]: https://bugzilla.redhat.com/show_bug.cgi?id=1809258 [25]: openshift/oauth-proxy#164 [26]: https://bugzilla.redhat.com/show_bug.cgi?id=1774157
This change ensures that service CA certs are generated with a unique serial number so that serving cert bundles can be loaded without error. The library-go bump ensures that the signing CA will have a randomly-generated serial number and the operator change ensures that intermediate CAs will the same.
Previously, intermediate CA certs were created with the same serial number as their template. Since a serving cert bundle includes the issuing CA cert and an intermediate CA cert (created by signing the issuing CA cert with the previous CA's private key), this lack of serial number differentiation resulted in SEC_ERROR_REUSED_ISSUER_AND_SERIAL when the bundle was read by curl due to the issuing and intermediate CAs sharing the same issuer and serial number.