3.9 alpha 3/4 regression: Certificate verification fails with GnuTLS #18715
Description
SSL certificate based authentication fails with 3.9 alpha 3 when using GnuTLS (which Cockpit does, via glib-networking). This has worked fine so far, up to 3.7.
Things work fine with the oc client:
❱❱❱ oc whoami
system:admin
To illustrate it with OpenSSL vs GnuTLS, let's extract the certificate into standard X.509 files:
awk '/client-certificate-data:/ { print $2 }' ~/.kube/config | base64 -d > /tmp/cert.pem
awk '/client-key-data:/ { print $2 }' ~/.kube/config | base64 -d > /tmp/cert.key
awk '/certificate-authority-data:/ { print $2 }' ~/.kube/config | base64 -d > /tmp/ca.pem
Now, authentication with curl works:
❱❱❱ curl --cert /tmp/cert.pem --key /tmp/cert.key --cacert /tmp/ca.pem https://10.111.112.101:8443/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "10.111.112.101:8443"
}
]
}
It also works with OpenSSL:
❱❱❱ (printf 'GET /api HTTP/1.0\n\n'; sleep 1) | openssl s_client -CAfile /tmp/ca.pem -cert /tmp/cert.pem -key /tmp/cert.key -connect 10.111.112.101:8443
CONNECTED(00000003)
depth=1 CN = openshift-signer@1518732226
verify return:1
depth=0 CN = 10.111.112.101
verify return:1
[...]
---
HTTP/1.0 200 OK
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 22 Feb 2018 09:28:46 GMT
Content-Length: 137
{"kind":"APIVersions","versions":["v1"],"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0","serverAddress":"10.111.112.101:8443"}]}
closed
But not with GnuTLS:
❱❱ (printf 'GET /api HTTP/1.0\n\n'; sleep 1) | gnutls-cli --x509certfile=/tmp/cert.pem --x509keyfile=/tmp/cert.key --x509cafile=/tmp/ca.pem -p 8443 10.111.112.101
Processed 1 CA certificate(s).
Processed 1 client X.509 certificates...
Resolving '10.111.112.101:8443'...
Connecting to '10.111.112.101:8443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=10.111.112.101', issuer `CN=openshift-signer@1518732226', serial 0x02, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-02-15 22:03:46 UTC', expires `2020-02-15 22:03:47 UTC', pin-sha256="8s1sXBqKC8Vvwk/Mj/UawpbMS83ZFJDCiaKTZTEwK2w="
[...]
HTTP/1.0 401 Unauthorized
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 22 Feb 2018 09:29:24 GMT
Content-Length: 129
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
- Peer has closed the GnuTLS connection
For that, openshift logs an error message:
Feb 22 04:30:15 f1.cockpit.lan openshift-run[814]: E0222 04:30:15.791838 816 authentication.go:64] Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "openshift-signer@1518732226"), x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "openshift-signer@1518732226")]
Version
oc v3.9.0-alpha.3+78ddc10
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO
Server https://10.111.112.101:8443
openshift v3.9.0-alpha.3+78ddc10
kubernetes v1.9.1+a0ce1bc657