Bug 1259029

Summary: Web GUI authentication is being invoked many times on Safari
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: apiserver-authAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED DUPLICATE QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.0.0CC: aos-bugs, jliggitt, jokerman, mmccomas, rhowe
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-19 19:30:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2015-09-01 19:38:12 UTC
Description of problem:
 Web GUI authentication is being invoked many times on Safari with the following

"OS X wants to make changes. Type an administrator's name and password to allow this.
OS X wants to use the "System" keychain"

Even when entering in an administrator username and password it keeps prompting  for every single aspect of the site that needs loading. 


Version-Release number of selected component (if applicable):
OpenShift v3 

How reproducible:
Only with Customer. 

Steps to Reproduce:
1.Install V3 
2.Use unsigned CA certs 
3.Browse to OpenShift V3 web console 

Actual results:
Prompted over and over with: 
"OS X wants to make changes. Type an administrator's name and password to allow this.
OS X wants to use the "System" keychain"

Expected results:
Only be prompted once

Additional info:

Comment 2 Jordan Liggitt 2015-09-02 16:39:18 UTC
Once you add the CA to the system trusted roots (see https://support.apple.com/kb/PH18677?locale=en_US), Safari should stop prompting.

Unfortunately, I don't think the default dialog Safari shows walks you through this.

Comment 3 Jordan Liggitt 2015-09-02 16:43:24 UTC
Can you confirm that adding the CA to the system CA's corrects the issue?

Comment 4 Ryan Howe 2015-10-02 20:48:26 UTC
Requesting this bug to be open again. 

As adding to Keychain in System it still has the same issue entering credentials over and over again.  

This may be a docs thing where we need to document how to resolve this issue with Safari. Documentation on how to use your our cert for the webconsole. 

Currently Safari always prompt saying that the "website requires a client certificate"

Comment 5 Jordan Liggitt 2015-10-02 20:55:19 UTC
There are two issues at play, both of which are Safari bugs:

1. Safari does not prompt you to accept the server's signing cert in a permanent way, so websocket requests can fail silently, and later visits to the site sometimes prompt to re-accept an insecure connection. Adding the server's CA to the keychain should resolve that issue.

2. Safari incorrectly prompts to select a client certificate, even when it has no applicable client certificates for the server. The only workaround I'm aware of for this is to remove all client certificates from Safari (including the automatically added one for iCloud/Apple ID)

Comment 6 Ryan Howe 2015-10-06 18:48:14 UTC
Version of OS and Browser: 

OS X 10.10.5
Safari 8.0.8

Comment 8 Ryan Howe 2017-09-19 19:30:31 UTC

*** This bug has been marked as a duplicate of bug 1493276 ***