Insecure algorithm SHA1-RSA errors in OpenShift 4

Solution Verified - Updated -

Issue

  • The following error can be seen in different OpenShift 4 components:

    x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "CA Name")

  • The above error message can be shown in situations like:

    • An OpenShift 4.11 or newer installation using a mirror with a SHA1-RSA certificate, and the error is shown in the bootstrap node.
    • An Identity Provider like LDAP server uses a SHA1-RSA certificate, and the error is shown in the authentication Cluster Operator.
    • OpenShift router fails to start with a SHA1-RSA certificate, and the error is shown in the router logs.

Environment

  • Red Hat Openshift Container Platform (RHOCP)
    • 4
  • SHA1-RSA certificate

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content