Error x509: certificate relies on legacy Common Name field, use SANs instead in Openshift

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform 4.10 and newer

Issue

  • Some component stops working after upgrading to OCP 4.10
error: unable to push quay.io/openshift-release-dev/ocp-v4.0-art-dev: failed to upload blob sha256:608cfe8580a33a376c92843bd07b2cce574614ac7bff6bddbf03d5f5f44d0b61: Get "https://registry.ocp410.xxx.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs instead

status:
  conditions:
  - lastTransitionTime: "2024-03-XXT07:19:10Z"
    message: 'OAuthServerConfigObservationDegraded: failed to apply IDP XXXX config:
      tls: failed to verify certificate: x509: certificate relies on legacy Common
      Name field, use SANs instead'

Resolution

  • Use a certificate which set a Subject Alternative Name(SAN) as per following article 1 or article2.

Root Cause

  • Kubernetes is built using golang 1.17. This version of go removes the ability to use a GODEBUG=x509ignoreCN=0 environment setting to re-enable deprecated legacy behavior of treating the CommonName of X.509 serving certificates as a hostname. For more details please check Content from github.com is not included.Kubernetes 1.23 release note.

  • In some cases, certificates without a Subject Alternative Name continued to work in OpenShift Container Platform 4.6, 4.7, 4.8, and 4.9. OpenShift Container Platform 4.10 which is based on Kubernetes 1.23 does not allow this under any circumstances. For more details please check TLS X.509 certificates must have a Subject Alternative Name.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.