Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: verification fails with "cannot parse dnsName" in intermediate #371

Closed
trunet opened this issue Feb 26, 2018 · 7 comments
Closed

crypto/x509: verification fails with "cannot parse dnsName" in intermediate #371

trunet opened this issue Feb 26, 2018 · 7 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@trunet
Copy link

trunet commented Feb 26, 2018
edited
Loading

Loading an intermediate certificate, is generating this error:

E0226 11:51:47.736103       7 config.go:330] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: error reading /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: x509: cannot parse dnsName "Trunet.co AMS Kubernetes Intermediate CA"

My intermediate CA generated by hashicorp vault, contains:

X509v3 Basic Constraints: critical
    CA:TRUE
X509v3 Subject Alternative Name: 
    DNS:Trunet.co AMS Kubernetes Intermediate CA

This will probably be fixed on golang/go#23995
@trunet trunet mentioned this issue Feb 26, 2018
Closed
@sttts
Copy link
Contributor

sttts commented Feb 27, 2018

So this is no client-go error, but Go?

@trunet
Copy link
Author

trunet commented Feb 27, 2018

This is an error happening on ingress-nginx, that uses and calls client-go functions, that uses x509 go library. That should be fixed upstream, but if not, we could implement a workaround here (not saying that we should, at least discuss the problem).

On golang/go#23995 (comment), they're asking for thumbs up if this affects you.

@ericchiang
Copy link
Contributor

"Trunet.co AMS Kubernetes Intermediate CA" doesn't look like a DNS name. Why would you want that value as a SANs DNS?

It sounds like this is getting fixed in 1.10.1. Since you can work around this today by making your DNS values look like actual DNS values, I don't think we should provide an external work around.

@trunet
Copy link
Author

trunet commented Feb 27, 2018

from: golang/go#23995 (comment)

This will affect all CA certs that have been generated by HashiCorp Vault 0.9.3 or earlier. Those versions always put the CN also into the DNS alt names, without checking if it actually is a DNS name. hashicorp/vault#3953 fixed that in anticipation of the change in Go.

Relaxing the verification for CA certs would greatly reduce pain for Vault operators because they wouldn't have to re-issue all of their cert chains.

@ffilippopoulos ffilippopoulos mentioned this issue Mar 19, 2018
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 28, 2018
@markeijsermans markeijsermans mentioned this issue Jun 20, 2018
Closed
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 27, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@trunet @sttts @ericchiang @k8s-ci-robot @fejta-bot