Bug 1166593

Summary: conflicting alias server name is listening on 443 port when user upload his own alias ssl cert.
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: NodeAssignee: chris alfonso <calfonso>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 2.2.0CC: adellape, bleanhar, hbrock, jokerman, libra-onpremise-devel, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-openshift-origin-routing-daemon-0.20.2.3-1.el6op Doc Type: Bug Fix
Doc Text:
In OpenShift Enterprise environments using the routing daemon with an nginx router, duplicate nginx configuration files were created if a user uploaded a SSL cert for an existing application alias. This was due to a bug in the routing daemon, and as a result, the application's SSL certificate was marked not trusted and nginx reported "conflicting server name" warnings. This bug fix updates the routing daemon to ensure these duplicate files are no longer created, and the issues no longer occur.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-10 13:25:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johnny Liu 2014-11-21 10:16:41 UTC 
Description of problem:
When user add alias for his app, routing-daemon will create nginx conf file which is listening on 0.0.0.0:443
When user upload his own ssl cert for his alias, routing-daemon will create another nginx conf file which is also listening on 0.0.0.0:443

They are conflicting, that would cause one of them does not take effect.

Version-Release number of selected component (if applicable):
rubygem-openshift-origin-routing-daemon-0.17.1.6-1.el6op.noarch

How reproducible:
Always

Steps to Reproduce:
1.Create a scalable app.
2.add alias for this app.
3.Upload his own ssl cert for this alias.
$ rhc alias update-cert scaruby18app www.app1.com --certificate server.crt --private-key server.key 
SSL certificate successfully added.
4. Edit /etc/hosts to add nginx host IP to alias mapping
10.66.79.158	www.app1.com
# on 10.66.79.158, routing-daemon and nginx is running.
5. Try to curl app's page using cert via alias

Actual results:
$ curl --cacert server.crt https://www.app1.com|grep title
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I could find the following message.
==> /var/log/nginx16/error.log <==
2014/11/21 17:39:51 [warn] 25193#0: conflicting server name "www.app1.com" on 0.0.0.0:443, ignored

# pwd
/opt/rh/nginx16/root/etc/nginx/conf.d
# cat cert_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf

server {
  listen 443 ssl;
  server_name www.app1.com;
  ssl_certificate /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.crt;
  ssl_certificate_key /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.key;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}
# cat alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf

server {
  listen 80;
  server_name www.app1.com;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}

server {
  listen 443 ssl;
  server_name www.app1.com;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}

Obviously, both two conf files are listening on 443 with the same server name - "www.app1.com".

After I comment out 443 directive in alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf, everything works well.

Expected results:
There should be only one config file for listening 443 port.
Now the name routing for alias is alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf, so suggest when user add alias for his app, create two conf files, one file is for 80, another is for 443. E.g:
# cat alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf

server {
  listen 80;
  server_name www.app1.com;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}

# cat alias_pool_ose_scaruby18app_jialiu_443_www.app1.com.conf
server {
  listen 443 ssl;
  server_name www.app1.com;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}

When user update alias cert, routing daemon should only change alias_pool_ose_scaruby18app_jialiu_443_www.app1.com.conf to add cert file location just like the following, that would avoid such conflicting.
# cat alias_pool_ose_scaruby18app_jialiu_443_www.app1.com.conf
server {
  listen 443 ssl;
  server_name www.app1.com;
  ssl_certificate /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.crt;
  ssl_certificate_key /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.key;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}

Additional info:
Comment 1 chris alfonso 2014-11-24 23:09:47 UTC 
Great idea on the solution for this. I've opened a PR upstream for this patch.
https://github.com/openshift/origin-server/pull/5974

I'll get it merged into enterprise-server once it's upstream.
Comment 4 Johnny Liu 2014-11-26 06:11:36 UTC 
Verified this bug with rubygem-openshift-origin-routing-daemon-0.20.2.3-1.el6op.noarch, and PASS.

Now only one config nginx file for alias is built.

[root@dhcp-128-178 conf.d]# pwd
/opt/rh/nginx16/root/etc/nginx/conf.d
[root@dhcp-128-178 conf.d]# ls
alias_pool_ose_scaruby18app_jialiu_80_ha-scaruby18app-jialiu.example.com.conf  pool_ose_scaruby18app_jialiu_80.conf  www.app1.com.crt
alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf                        server.conf                           www.app1.com.key
[root@dhcp-128-178 conf.d]# cat alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf

server {
  listen 80;
  server_name www.app1.com;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}

server {
  listen 443 ssl;
ssl_certificate /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.crt;
ssl_certificate_key /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.key;
  server_name www.app1.com;
  location / {
    proxy_pass http://pool_ose_scaruby18app_jialiu_80;
    
  }
}


$ curl --cacert server.crt https://www.app1.com|grep title
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0  <title>Welcome to OpenShift</title>
100 39604  100 39604    0     0   232k      0 --:--:-- --:--:-- --:--:--  234k


It works well.
Comment 6 errata-xmlrpc 2014-12-10 13:25:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1979.html