Bug 1157188

Summary: "SSL certificate chain" not functional in web console.
Product: OpenShift Online Reporter: David Diamondstone <ddiamondstone>
Component: Management ConsoleAssignee: Fabiano Franz <ffranz>
Status: CLOSED DUPLICATE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.xCC: jokerman, mmccomas, wjiang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-27 14:11:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Example certs which demonstrate the issue. none

Description David Diamondstone 2014-10-25 23:16:04 UTC 
Created attachment 950725 [details]
Example certs which demonstrate the issue.

Description of problem:
The "SSL certificate chain" field in the "edit alias" management console is apparently ignored. After uploading a valid SSL certificate and corresponding private key and SSL certificate chain, the certificate chain is not recognized as valid when browsing to my app.

Version-Release number of selected component (if applicable):
Unknown

How reproducible:
100%

Let's say I have a valid SSL certificate foo.com.pem for foo.com signed by CA bar, and I have a valid SSL certificate chain CA-cert.pem validating CA's authority (terminating in a root certificate). If I use the management console to "edit alias" and attach an ssl certificate, the "SSL certificate chain"

Steps to Reproduce:
1. Create a valid certificate foo.com.pem for foo.com, and take the CA's signing certificate CA-cert.pem
2. Go into the "edit alias" management console, enter foo.com.pem in the "SSL Certificate:field, and CA-cert.pem in the "SSL Certificate Chain" field, along with the certificate private key and pass phrase.
3. Navigate to https://www.foo.com

Actual results:
SSL error (e.g. sec_error_unknown_issuer in Firefox) do to lack of valid path from root CA to provided cert.

Expected results:
No error.

Additional info:
This has happened before:
https://bugzilla.redhat.com/show_bug.cgi?id=1063470
https://bugzilla.redhat.com/show_bug.cgi?id=1147868
The workaround suggested, simply concatenating the files before uploading, seems to work.

Those bugs are marked fixed, but I'm still having an issue. Not sure if it's the particular coding being used, but it seems like whatever the web console is doing isn't working, and people keep having to use the workaround. Maybe the web console should just concatenate the files?
Comment 1 weiwei jiang 2014-10-27 05:52:40 UTC 
Checked on devenv-stage_1082 and devenv_5264, website can work well with ssl cartificate chain.
Comment 2 Fabiano Franz 2014-10-27 14:11:33 UTC 
This was fixed as part of bug 1147868 but we didn't have a release to OpenShift Online yet. A new release with the fix is going to be published later this week.

*** This bug has been marked as a duplicate of bug 1147868 ***