Upgrading Golang Version in the Early June ‘23 Automate Release

By

Update [8-June-2023] - Chef Automate version 4.7.52 and above will have the updated Go Lang version (1.19.3).

A new version of Chef Automate will be released in the early June 2023, which includes an upgrade to Golang 1.19. This change is required since the existing version of Golang and Go's standard libraries are no longer supported.  

Please keep reading to determine if this change will impact you.

What is the Change?

Automate is moving the product builds from Golang version 1.15 to 1.19 to keep the language features up to date. Please refer to Go 1.15 Release Notes for more information. 

The updated version of Chef Automate, to be released in the early June 2023, will update the core build framework of Golang to 1.19. 

The change in the Golang version will impact the custom certificates used for interaction with external systems. The common name field of X.509 certificates will no longer be considered the hostname when the Subject Alternative Name (SAN) is absent. 

Why the Change? 

RFC 2818, published in May 2000, deprecates using the Common Name (CN) field in HTTPS certificates for subject name verification. Instead, it recommends using the "Subject Alternative Name" extension (SAN) of the "DNS name" type. 

Who is impacted? 

Customers using Automate or Automate HA with custom certificates generated with OpenSSL 1.1.1, or above which do not have the Subject Alternative Name (SAN) field will be affected by this upgrade. Automate or Automate HA may stop working if you upgrade to this version without updating the certificates. 

What is the Impact? 

Custom certificates generated with OpenSSL 1.1.1 or above without the Subject Alternative Name (SAN) field will no longer work. These certificates could belong to external databases or services or be used elsewhere in Automate or Automate HA.  

Some changes that may be observed: 

  • Automate and Automate HA will not work correctly with custom certificates and will throw errors.

  • Automate and Automate HA will not be able to communicate with an externally deployed database, both PostgreSQL and OpenSearch.

  • Automate and Automate HA will stop interacting with external services for the data feed service and/or notification service.

  • Automate and Automate HA may behave unpredictably with external web services.

Check if You are Impacted 

Please check certificates installed on Automate, external databases and web services to ensure that the Subject Alternative Name (SAN) has the correct value.  

  • In case of an external open search please refer to the opensearch.yml file to find the location of the certificate. In most Linux distributions, the file is available at /etc/opensearch/opensearch.yml. 

  • In the case of external PostgreSQL, by default, your certificate will reside at $PGDATA/server.crt.

  • In the case of Automate frontend load balancer, the certificate is available at /hab/svc/automate-load-balancer/data/ location.

1. To check mycert.cer, please run this command:

Checking mycert.cer

2. The output of the command will look like this: 

Output of the command


3. Look for the “X509v3 Subject Alternative Name " field in the output, as shown above. 

[Important] If you SEE a value for the "X509v3 Subject Alternative Name" field in the command output, you are NOT impacted.  

If you do not see a value for the "X509v3 Subject Alternative Name", you ARE impacted

What Should You Do if You are Impacted? 

Please regenerate the certificates with your Certificate Authority by raising a new Certificate Signing Request (CSR). Please provide a suitable hostname value for subjectAltName before raising the CSR.  

An OpenSSL CSR with the SAN should have the following attributes: 

OpenSSL CSR with the SAN


Once your custom certificate is updated, you must re-apply it. 

-For Standalone Automate use the config patch to apply the load balancer certificate. 

-For Chef Automate HA use the cert rotate command to apply it on the cluster nodes.  

-There will be downtime while applying the updated certs to an externally managed databases or with custom certificates provided for the Automate frontend load balancer.

Are You Facing Issues During This Process? 

If you do not know what version you have, or whether this notice applies to you, or you need help upgrading, please raise a support case, If the issue is unresolved, please reach out to your Customer Success Manager or Customer Architect representative. 

References: 

Upgrade Chef Automate documentation: https://docs.chef.io/automate/upgrade/ 


Posted in:
Tags:
Chef Chef Automate

Nischal Reddy

Nischal works as a Principal Product Manager at Progress, working with the Chef team and he is based out of Boston. Nischal is a seasoned product manager with a knack for innovation and love for speed, both on and off track. As an avid Formula 1 fan and enthusiastic go-kart racer, he brings a competitive edge to product development. Nischal specializes in driving new growth initiatives and products and is currently leading the PM team for Chef Platform and Cloud products.

Categories

INTERNET US

Company
Using Chef
Legal
Connect with us
Contact Us

Chef is part of the Progress product portfolio. Progress is the leading provider of application development and digital experience technologies.

Copyright © 2024 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Progress and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Do Not Sell or Share My Personal Information

Powered by Progress Sitefinity