x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

nokia / CPU-Pooler

A Device Plugin for Kubernetes, which exposes the CPU cores as consumable Devices to the Kubernetes scheduler.

BSD 3-Clause "New" or "Revised" License

92 stars 22 forks source link

x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 #57

Closed waynezhang1984 closed 3 years ago

waynezhang1984 commented 3 years ago

Describe the bug A clear and concise description of what the bug is.

I deployed CPU-Pooler in the kubernetes 1.19 environment and reported an abnormal error，“Internal error occurred: failed calling webhook "cpu-dev-mutator.nokia.k8s.io": Post "https://cpu-dev-pod-mutator-svc.kube-system.svc:443/mutating-pods?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0”.

I found that the reason is related to version 1.15 of golang. Because kubernetes 1.19 uses golang 1.15, the above problem is reported https://github.com/kubeflow/katib/issues/1395 https://github.com/atc0005/check-cert/issues/70

To Reproduce Steps to reproduce the behavior: 1. 2. 3.

Expected behavior A clear and concise description of what you expected to happen.

Additional context Add any other context about the problem here.

Relevant SW info

Linux distro centos7
Kubernetes version 1.19
Other

Levovar commented 3 years ago

@waynezhang1984 : did you use the certificates generated by the project's scripts, or your own?

In case of the former the generation scripts should be changed to add SAN instead of the legacy CN. if the latter, then the same but in your certs :)

waynezhang1984 commented 3 years ago

@Levovar I use the certificates generated by the project's scripts, How i can modify the scripts? thanks

Levovar commented 3 years ago

I think this row should be modified: https://github.com/nokia/CPU-Pooler/blob/master/scripts/generate-cert.sh#L11 to include SAN instead of CN

let me know if it solves your issue! then we can correct the source with the same

waynezhang1984 commented 3 years ago

@Levovar I fix this problem such below steps:

copy /etc/pki/tls/openssl.cnf to CPU-Pooler/scripts/openssl.cnf
modify CPU-Pooler/scripts/openssl.cnf [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = cpu-dev-pod-mutator-svc.kube-system.svc
modify CPU-Pooler/scripts/generate-cert.sh openssl req -out server.csr -new -newkey rsa:2048 -subj "/CN=${service}.${namespace}.svc" -nodes -keyout server-key.pem -config openssl.cnf

thanks a lot

Levovar commented 3 years ago

thanks for the feedback! will fix the certs in the project as well