Hero Image

Fixing missing SAN extensions in OpenShift OAuth server

Problem

After a successful authentication with OpenShift, the requested application will return an error HTTP 500 if OpenShift OAuth server is used for the authentication.

Analysis

The logs of the OAuth proxy will show something like

2022/01/01 12:00:01 oauthproxy.go:656: error redeeming code (client:10.100.20.1:40401): Post "https://oauth.openshift.example.com/oauth/token": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
2022/01/01 12:00:01 oauthproxy.go:445: ErrorPage 500 Internal Error Internal Error
2022/01/01 12:00:01 provider.go:407: authorizer reason:

The reason seems to be that X.509 certificate presented by the OpenShift OAuth server is missing the Subject Alternative Name (SAN) extension, which is considered deprecated for almost 20 years now (see 1 and 2).

Solution

Create and check new wildcard certificate

openssl req -new -nodes -key wildcard-old.key -subj "/C=DE/O=Your company/CN=*.openshift.example.com/emailAddress=mail@example.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:*.openshift.example.com,DNS:openshift.example.com") -days 3650 -in server.csr -CA your_root_ca.pem -CAkey your_root_ca.key -CAcreateserial -out server.crt

Check keys to make sure they match:

openssl x509 -noout -modulus -in server.crt| openssl md5
(stdin)= 410ce46e7a676232b12631b8e9afa074
openssl rsa -noout -modulus -in wildcard-old.key| openssl md5
(stdin)= 410ce46e7a676232b12631b8e9afa074

Create a certificate chain

If you you are just using the generated certificate from the previous step, the authentication operator will not work. The OpenShift operator authentication operator requires the full certificate chain.

cat servert.crt your_root_ca.pem > bundle.crt

Update TLS secret

Create a new TLS secret in the openshift-ingress namespace:

oc create secret tls wildcardsecret-20220101 --cert=bundle.crt --key=wildcard-old.key -n openshift-ingress

Patch ingress controller

 oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "wildcardsecret-20220101"}}}' -n openshift-ingress-operator