Red Hat Advance Cluster Security Scanner throws certificate validation error when verifying Central certificate
Environment
- An update to Red Hat Advance Cluster Security (ACS) release 3.0.53.0 from 3.0.47.0 or lower
- Executed a manual rotation of the Central certificate using the script provided in the documentation
Issue
-
Red Hat Advance Cluster Security (ACS) Scanner fails to scan an image with an error similar to the following:
Error: rpc error: code = Unknown desc = image enrichment error: error scanning image: <IMAGE NAME:TAG> errors: [Error scanning "<IMAGE NAME:TAG>" with scanner "Stackrox Scanner": Expected status code 2XX. Received 400 Bad Request. Body: {"code":3,"message":"peer certificate common name \"CENTRAL_SERVICE: 2ad1e85c-eab5-4e49-b7ef-462730bceff5\" does not match expected common name: CENTRAL_SERVICE: Central"}
Resolution
-
Generate a new Central certificate:
curl -u admin:<password> -sk -X POST https://<endpoint>/api/extensions/certgen/central > central-certs.yaml -
Apply the new certificate:
kubectl apply -f central-certs.yaml -
Delete the Central pod:
kubectl -n stackrox delete po <central pod>
Root Cause
- The Scanner component verifies the certificate that Central is sending and expects the CN to be
CENTRAL_SERVICE: Central. - Documentation for rotating Central Certificate prior to release 3.0.47.0 says to run a script that makes the ID a specific
instead of "Central" that Scanner expects. Also, prior to release 3.0.47.0, Central CN was CENTRAL_SERVICE: <UUID>
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments