Bug 1147868

Summary: Custom SSL certificate chain does not work
Product: OpenShift Online Reporter: German <mitking>
Component: Management ConsoleAssignee: Fabiano Franz <ffranz>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: low Docs Contact:
Priority: unspecified    
Version: 1.xCC: cdaley, ddiamondstone, jack, jokerman, mmccomas, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Mac OS   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 19:56:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description German 2014-09-30 08:45:07 UTC 
Description of problem:

Using web management console to add custom domain ssl certs does not work as expected when uploading ssl domain cert and certificate chain separately. You can do a workaround as stated in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=985952

Then works perfect and ssl validation is passed. But, it should work when uploading cert and chain in separated files too, doesn´t it?

Steps to Reproduce:
1. Purchase a custom ssl certificate for your domain.
2. Upload your domain certificate, the certificate chain, private key and passphrase.
3. Web console finish ok, but if you validate your domain with an ssl checker (http://www.sslshopper.com/ssl-checker.html) it fails because cannot follow certified authority chain.

Actual results:

Browser tells you that the certificate is valid but there is some problem validating your authorithy certs.

Expected results:

Green lock on browser with no warning signal on navigation bar.

Additional info:

Both tested apps are scalable ones so this is related to haproxy ssl config. My apps are wordpress scalable and jboss 7. 

As stated above, workaround of merging domain cert and certificate chain in one file and uploading as domain cert is working. Maybe if user uploads both separately you could concatenate contents and configure haproxy as you are doing when only domain cert with chain is uploading. This could work if pem format is present in uploaded files.
Comment 4 Fabiano Franz 2014-10-01 17:09:14 UTC 
Workaround available, lowering severity. The issue is being investigated.
Comment 5 Jack 2014-10-06 22:14:21 UTC 
Some time has passed and it still does not pass:
https://www.sslshopper.com/ssl-checker.html#hostname=www.truthmapping.com

thoughts?
Comment 6 Fabiano Franz 2014-10-08 01:17:23 UTC 
Fixed in https://github.com/openshift/origin-server/pull/5857
Comment 7 Yujie Zhang 2014-10-08 08:34:10 UTC 
Tested on devenv_5218, the ssl chain can be added successfully from web console, so verify this bug, thanks.
Comment 8 Fabiano Franz 2014-10-27 14:11:33 UTC 
*** Bug 1157188 has been marked as a duplicate of this bug. ***
Comment 9 David Diamondstone 2015-10-19 01:09:57 UTC 
This is still broken. I just tried it and got an SSL error. I tried concatenating the two certificates and using that as the server certificate and that worked just fine.