Upgrading Golang Version in the Early June ‘23 Automate Release

Nischal Reddy | Posted on April 20, 2023 | Product Updates

Update [8-June-2023] - Chef Automate version 4.7.52 and above will have the updated Go Lang version (1.19.3).

A new version of Chef Automate will be released in the early June 2023, which includes an upgrade to Golang 1.19. This change is required since the existing version of Golang and Go's standard libraries are no longer supported.

Please keep reading to determine if this change will impact you.

What is the Change?

Automate is moving the product builds from Golang version 1.15 to 1.19 to keep the language features up to date. Please refer to Go 1.15 Release Notes for more information.

The updated version of Chef Automate, to be released in the early June 2023, will update the core build framework of Golang to 1.19.

The change in the Golang version will impact the custom certificates used for interaction with external systems. The common name field of X.509 certificates will no longer be considered the hostname when the Subject Alternative Name (SAN) is absent.

Why the Change?

RFC 2818, published in May 2000, deprecates using the Common Name (CN) field in HTTPS certificates for subject name verification. Instead, it recommends using the "Subject Alternative Name" extension (SAN) of the "DNS name" type.

Who is impacted?

Customers using Automate or Automate HA with custom certificates generated with OpenSSL 1.1.1, or above which do not have the Subject Alternative Name (SAN) field will be affected by this upgrade. Automate or Automate HA may stop working if you upgrade to this version without updating the certificates.

What is the Impact?

Custom certificates generated with OpenSSL 1.1.1 or above without the Subject Alternative Name (SAN) field will no longer work. These certificates could belong to external databases or services or be used elsewhere in Automate or Automate HA.

Some changes that may be observed:

Automate and Automate HA will not work correctly with custom certificates and will throw errors.
Automate and Automate HA will not be able to communicate with an externally deployed database, both PostgreSQL and OpenSearch.
Automate and Automate HA will stop interacting with external services for the data feed service and/or notification service.
Automate and Automate HA may behave unpredictably with external web services.

Check if You are Impacted

Please check certificates installed on Automate, external databases and web services to ensure that the Subject Alternative Name (SAN) has the correct value.

In case of an external open search please refer to the opensearch.yml file to find the location of the certificate. In most Linux distributions, the file is available at /etc/opensearch/opensearch.yml.
In the case of external PostgreSQL, by default, your certificate will reside at $PGDATA/server.crt.
In the case of Automate frontend load balancer, the certificate is available at /hab/svc/automate-load-balancer/data/ location.

1. To check mycert.cer, please run this command:

2. The output of the command will look like this:

3. Look for the “X509v3 Subject Alternative Name " field in the output, as shown above.

[Important] If you SEE a value for the "X509v3 Subject Alternative Name" field in the command output, you are NOT impacted.

If you do not see a value for the "X509v3 Subject Alternative Name", you ARE impacted.

What Should You Do if You are Impacted?

Please regenerate the certificates with your Certificate Authority by raising a new Certificate Signing Request (CSR). Please provide a suitable hostname value for subjectAltName before raising the CSR.

An OpenSSL CSR with the SAN should have the following attributes:

Once your custom certificate is updated, you must re-apply it.

-For Standalone Automate use the config patch to apply the load balancer certificate.

-For Chef Automate HA use the cert rotate command to apply it on the cluster nodes.

-There will be downtime while applying the updated certs to an externally managed databases or with custom certificates provided for the Automate frontend load balancer.

Are You Facing Issues During This Process?

If you do not know what version you have, or whether this notice applies to you, or you need help upgrading, please raise a support case, If the issue is unresolved, please reach out to your Customer Success Manager or Customer Architect representative.

References:

Upgrade Chef Automate documentation: https://docs.chef.io/automate/upgrade/