From bb86b7b6cc7a41a6f76f074a9d5320e4538f0fc4 Mon Sep 17 00:00:00 2001 From: Jennifer Travinski Date: Tue, 31 May 2022 14:15:00 -0400 Subject: [PATCH] Adding release note to 2.6 docs --- .../v2.6/en/admin-settings/authentication/ad/_index.md | 8 +++++++- .../en/admin-settings/authentication/openldap/_index.md | 8 +++++++- .../authentication/openldap/openldap-config/_index.md | 8 +++++++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.6/en/admin-settings/authentication/ad/_index.md b/content/rancher/v2.6/en/admin-settings/authentication/ad/_index.md index 251039f2c97..6ed722deb90 100644 --- a/content/rancher/v2.6/en/admin-settings/authentication/ad/_index.md +++ b/content/rancher/v2.6/en/admin-settings/authentication/ad/_index.md @@ -21,7 +21,13 @@ Note however, that in some locked-down Active Directory configurations this defa > **Using TLS?** > -> If the certificate used by the AD server is self-signed or not from a recognized certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> - If the certificate used by the AD server is self-signed or not from a recognized certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> +> - Upon an upgrade to v2.6.0, authenticating via Rancher against an active directory using TLS can fail if the certificates on the AD server do not support SAN attributes. This is a check enabled by default in Go v1.15. +> +> - The error received is "Error creating SSL connection: LDAP Result Code 200 "Network Error": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0". +> +> - To resolve the error, update or replace the certificates on the AD server with new ones that support the SAN attribute. Alternatively, this error can be ignored by setting `GODEBUG=x509ignoreCN=0` as an environment variable to Rancher server container. ## Configuration Steps ### Open Active Directory Configuration diff --git a/content/rancher/v2.6/en/admin-settings/authentication/openldap/_index.md b/content/rancher/v2.6/en/admin-settings/authentication/openldap/_index.md index dd722903236..c9d743c0117 100644 --- a/content/rancher/v2.6/en/admin-settings/authentication/openldap/_index.md +++ b/content/rancher/v2.6/en/admin-settings/authentication/openldap/_index.md @@ -11,7 +11,13 @@ Rancher must be configured with a LDAP bind account (aka service account) to sea > **Using TLS?** > -> If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> - If the certificate used by the OpenLDAP server is self-signed or not from a recognised certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> +> - Upon an upgrade to v2.6.0, authenticating via Rancher against an active directory using TLS can fail if the certificates on the AD server do not support SAN attributes. This is a check enabled by default in Go v1.15. +> +> - The error received is "Error creating SSL connection: LDAP Result Code 200 "Network Error": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0". +> +> - To resolve the error, update or replace the certificates on the AD server with new ones that support the SAN attribute. Alternatively, this error can be ignored by setting `GODEBUG=x509ignoreCN=0` as an environment variable to Rancher server container. ## Configure OpenLDAP in Rancher diff --git a/content/rancher/v2.6/en/admin-settings/authentication/openldap/openldap-config/_index.md b/content/rancher/v2.6/en/admin-settings/authentication/openldap/openldap-config/_index.md index deb1b0799f9..f2bd5d6fe9c 100644 --- a/content/rancher/v2.6/en/admin-settings/authentication/openldap/openldap-config/_index.md +++ b/content/rancher/v2.6/en/admin-settings/authentication/openldap/openldap-config/_index.md @@ -28,7 +28,13 @@ You will need to enter the address, port, and protocol to connect to your OpenLD > **Using TLS?** > -> If the certificate used by the OpenLDAP server is self-signed or not from a recognized certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> - If the certificate used by the OpenLDAP server is self-signed or not from a recognized certificate authority, make sure have at hand the CA certificate (concatenated with any intermediate certificates) in PEM format. You will have to paste in this certificate during the configuration so that Rancher is able to validate the certificate chain. +> +> - Upon an upgrade to v2.6.0, authenticating via Rancher against an active directory using TLS can fail if the certificates on the AD server do not support SAN attributes. This is a check enabled by default in Go v1.15. +> +> - The error received is "Error creating SSL connection: LDAP Result Code 200 "Network Error": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0". +> +> - To resolve the error, update or replace the certificates on the AD server with new ones that support the SAN attribute. Alternatively, this error can be ignored by setting `GODEBUG=x509ignoreCN=0` as an environment variable to Rancher server container. If you are in doubt about the correct values to enter in the user/group Search Base configuration fields, consult your LDAP administrator or refer to the section [Identify Search Base and Schema using ldapsearch]({{}}/rancher/v2.6/en/admin-settings/authentication/ad/#annex-identify-search-base-and-schema-using-ldapsearch) in the Active Directory authentication documentation.