Component returns x509: invalid certificate policies in RHOCP 4

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Golang 1.24

Issue

  • Creating connections with a TLS secured endpoint fail with:

    tls: failed to parse certificate from server: x509: invalid certificate policies

  • LDAP connections fails with Error authenticating login or AuthenticationError and the following message:

    LDAP Result Code 200 "Network Error": tls: failed to parse certificate from server: x509: invalid certificate policies

Resolution

The certificate offered by the remote endpoint cannot include a duplicate Certificate Policy OID and must be recreated.

Root Cause

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

As per the Content from datatracker.ietf.org is not included.RFC 5280, a Certificate Policy OID must not appear more than once in a certificate policies extension.

Golang introduced a verification to enforce this rule as of version 1.24, in which OpenShift 4.20 is based. Note that different components could be using also Golang 1.24 in older OpenShift releases.

Diagnostic Steps

  • A client attempting to create a TLS connection returns a x509 failure:

    Get "https://<remote_endpoint>": tls: failed to parse certificate from server: x509: invalid certificate policies

  • List the (chain of) certificates offered by the remote endpoint:

    $ echo q | openssl s_client -showcerts -connect <endpoint>

  • For any of the certificates in the chain, verify if it includes duplicate Certificate Policy OID:

    $ openssl x509 -ext certificatePolicies -noout <<EOF
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
EOF

X509v3 Certificate Policies: 
    Policy: 1.2.840.113554.4.1.72585.2.1
    Policy: 1.2.840.113554.4.1.72585.2.2
    Policy: 1.2.840.113554.4.1.72585.2.2

    or

    $ openssl x509 -in <cert_file> -ext certificatePolicies -noout
X509v3 Certificate Policies:
[...]

    Note: OIDs listed above are used for reference but differ based on the certificate generation details.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.