Bug 1268317
| Summary: | Intermediary SSL certificate chaines ignored by GUI preventing viewing from iOS devices | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Online | Reporter: | Erich Morisse <emorisse> | ||||
| Component: | Containers | Assignee: | Sally <somalley> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Chao Yang <chaoyang> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 2.x | CC: | aos-bugs, emorisse, jokerman, mmccomas, somalley, wsun | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-05-31 18:22:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Is there any chance you could attach the exact files that you are uploading through the GUI? The problem may be that we are not adequately normalising the input at that point, in which case it would be helpful to have the exact input. Ping! Is this still an issue? I was able to work around it (with the instructions above), and have not tried it since. I can't give out the private key, so not sure it is of any help to provide the others. Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/62ef0ec522b0fe26050d7c375ee5098c060b1d5c Remove SSL Cert Chain Field from web console Bug 1268317, Bug 1281901, Bug 1269637 Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1268317 Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1281901 Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1269637 Remove SSL Certificate Chain Field from web console. Document that the user must concatenate SSL cert files into a single file to upload, or upload the already-concatenated file included in the SSL certificate from the SSL certificate provider. Checked with devenv_5760, and the Cert Chain Field has been removed. And has prompted customers to upload a cert that put primary and intermediate certificates into a single file. We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause. |
Created attachment 1079450 [details] Longer description of SSL missing intermediary chain. Some SSL certificates require submission of intermediary certs to complete the signing chain from recognized Root CA to host key. Steps taken: 1. Add public key and private key (with no intermediary key) via command line. iOS[89] do not recognized the signatory, and give you a warning (correct and expected behavior) 2. Add all three keys (public, private, and intermediary) through the GUI. Intermediary key does not get loaded. 3. Delete existing certificate using GUI. Load all three keys. Intermediary key does not get loaded. 4. Get reissued certificates originally from GoDaddy, now with Starfied. 5. Repeat (3), same results. 6. Delete existing certificate using GUI. Concatenate intermediary keys and public key (intermediary keys first). Load concatenated key and private key. GUI warning - incorrect private key provided. 7. (No existing certificate to be deleted). Concatenate public key and intermediary key (public key first). Load concatenated key and private key. BINGO! Success. Attached is a full review of the SSL/TLS, with status from step (3). Note that the intermediary keys required are not found. It think the report calls it "extra download required." "Full" browsers, such as chrome, ff, and safari on your laptop, will go the extra mile and perform the download. Smartphone browsers often will not. I testing with iPhone and iPad.