Bug 1269637

Summary: Updating TLS certificates does not update the chaining certificate
Product: OpenShift Online Reporter: Eric Christensen <sparks>
Component: Management ConsoleAssignee: Sally <somalley>
Status: CLOSED WONTFIX QA Contact: yapei
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 2.xCC: aos-bugs, dmcphers, jokerman, jolamb, mmccomas, somalley, sten, wsun
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-31 14:22:11 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Eric Christensen 2015-10-07 15:48:21 EDT
Description of problem: I just updated the TLS certificate and key for securityblog.redhat.com.  I put the chaining certificate in but it doesn't seem to be working.  SSLLabs (https://www.ssllabs.com/ssltest/analyze.html?d=securityblog.redhat.com) still shows the intermediate certificate to be an extra download instead of being presented by the server.

I've reinstalled the certs several times and restarted the application to no avail.
Comment 1 Eric Christensen 2015-10-07 16:44:11 EDT
To clarify, the intermediate certificate doesn't seem to be recognized when it is sent.
Comment 2 Timothy Williams 2015-10-22 11:58:06 EDT
The reason your blog is currently working with https appears to be that the Red Hat *.rhcloud.com certificate is also signed by Digicert, who signed your certificate. Usually, without the intermediate, there would be more severe issues.

Speaking with one of our SSL experts on the support team, it looks like you need to include the whole certificate chain (certificate, root, and intermediate) when you upload the certificate to openshift. Take a look at this short article:


You should be able to simply `cat` your certificate, root, and intermediate into a single .crt file to upload to openshift. Please try that and, if you still have issues, open a support case with the GSS team. 

This doesn't look to be affecting any other applications, as it is only this application that is having the issue. Closing this for now as NOTABUG since no other applications appear to be affected.
Comment 4 Eric Christensen 2015-10-27 09:58:40 EDT
No, this is a bug and it appears to be specific to the GUI.  When uploading the new certificate and intermediate certificate the new certificate takes effect but the intermediate certificate isn't used.  One must concatenate the certificate and the intermediate certificate together to make everything work.

From what I was told on IRC, it would appear that the intermediate certificate entry on the GUI is new.  Maybe that's where the problem lies?
Comment 6 Sten Turpin 2015-12-22 15:12:19 EST
This issue can be replicated on openshift v2 stg. Create a new certificate authority (using ca.sh or tinyca2), trust that CA in your browser, then generate a new key + certificate for an app. You'll need a working DNS entry so you can create an alias. Apply the key + certificate to the app. The intermediate certificate will not be applied. 

Using the CLI, it's possible to work around this issue by concatenating the signed certificate and intermediate certificate (in that order): 

cat install_openshift_com.crt DigiCert.CA > install.openshift.com.pem

rhc alias update-cert oo install.openshift.com --certificate install.openshift.com.pem --private-key install.openshift.com.key
Comment 7 weiwei jiang 2016-01-31 22:06:25 EST
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
Comment 8 Eric Paris 2017-05-31 14:22:11 EDT
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.