Bug 1281901

Summary: https using letsencrypt has B rating - chain incomplete
Product: OpenShift Online Reporter: lucas0033 <lucas0033>
Component: ContainersAssignee: Sally <somalley>
Status: CLOSED WONTFIX QA Contact: DeShuai Ma <dma>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.xCC: aos-bugs, jialiu, jokerman, lmeyer, lucas0033, mmccomas, somalley, wsun, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1310266 (view as bug list) Environment:
Last Closed: 2017-05-31 18:22:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1310266    

Description lucas0033@gmail.com 2015-11-13 18:16:39 UTC 
Description of problem: 
I tried to add letsencrypt certificate to openshift. I uploaded cert.pem + chain.pem + priv.pem and I got https working, but with B rating and chain incomplete message. When I used only fullchain.pem + priv.pem https worked and I got A record - chain was complete. More info can be found here - https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665


Version-Release number of selected component (if applicable): Openshift v2


How reproducible: 
Apply letsencrypt certificate to openshift v2 using cert.pem + chain.pem + priv.pem

Actual results: 
B rating and chain incomplete


Expected results:
A rating and chain complete


Additional info:
Comment 1 Miciah Dashiel Butler Masters 2015-12-01 16:54:13 UTC 
It is possible that the problem lies in the normalization of encoding, whitespace, etc. that the management console performs when one uploads certificates.  Do you see the same problem when you use the rhc command-line tool instead of the Web-based management console to upload the certificates?

Here is documentation on installing the rhc client tool:   https://developers.openshift.com/en/managing-client-tools.html

Here is documentation on uploading certificates using rhc:   https://developers.openshift.com/en/managing-domains-ssl.html#_command_line_rhc

If you can answer the above question, that will help us narrow down whether the problem is in the management console, our httpd configuration, or possibly somewhere else.  Thanks!
Comment 2 lucas0033@gmail.com 2015-12-01 17:19:08 UTC 
Hi,
I am missing chain parameter in rhc:

rhc alias update-cert <application_name> <domain_name> --certificate <cert_file> --private-key <key_file>
Comment 3 Sally 2016-01-05 16:48:33 UTC 
I believe one fix will solve this + 2 other current bzs:

https://bugzilla.redhat.com/show_bug.cgi?id=1269637
https://bugzilla.redhat.com/show_bug.cgi?id=1268317

Solution could be to remove the 'SSL Certificate Chain' field in the web console, and to document clearly that cert + chain should be concatenated manually (cert 1st, then chain) and uploaded in the 'SSL Certificate*' field as a 'fullchainfile.pem' OR user should upload the 'fullchain.pem' if SSL cert provider automatically concatenates the cert + chain (letsencrypt does).

This solution makes sense, especially since there is no 'SSL Certificate Chain' upload option in the rhc tool.  The rhc tool options should match the web console options, correct?
Comment 4 weiwei jiang 2016-02-01 03:07:01 UTC 
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
Comment 5 Eric Paris 2017-05-31 18:22:11 UTC 
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.