Bug 1310266

Summary: https using letsencrypt has B rating - chain incomplete
Product: OpenShift Container Platform Reporter: Rory Thrasher <rthrashe>
Component: ContainersAssignee: Sally <somalley>
Status: CLOSED ERRATA QA Contact: DeShuai Ma <dma>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.2.0CC: aos-bugs, dma, jialiu, jokerman, lmeyer, lucas0033, mmccomas, somalley, wjiang, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-openshift-origin-node-1.38.5.2-1.el6op rubygem-openshift-origin-console-1.35.5.1-1.el6op rubygem-openshift-origin-frontend-apache-vhost-0.13.1-1.el6op Doc Type: Bug Fix
Doc Text:
Cause: Web-console used to have an intermediate 'Certificate Chain' field. The cert files were then internally concatenated. SSL certificate providers often issue a 'fullchain.pem' file (or similar) that was confusing to users who didn't know whether to use this file or the non-concatenated files. Finally, the rhc tool to upload SSL certs does not include an 'cert chain' option, when using the rhc tool users have always been required to supply concatenated cert file. Consequence: Users were getting a 'B rating' and/or 'chain incomplete' warning unless they used the 'fullchain.pem' file. Fix: Removed SSL Certificate Chain Field from web console. Documented that the user must concatenate SSL cert files into a single file to upload, or upload the already-concatenated file included in the SSL certificate from the SSL certificate provider. Also documented how users should manually concatenate the cert files if the SSL cert provider did not provide a concatenated file. Result: rhc tool now matches web console. Uploading SSL certs process has been clarified for users.
 Story Points: ---
Clone Of: 1281901 Environment:
Last Closed: 2016-03-22 16:54:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1281901    
Bug Blocks:    

Description Rory Thrasher 2016-02-19 22:33:35 UTC 
Cloning bug to enterprise for doc texts.

These 3 bugs were fixed by this change:
https://bugzilla.redhat.com/show_bug.cgi?id=1268317
https://bugzilla.redhat.com/show_bug.cgi?id=1281901
https://bugzilla.redhat.com/show_bug.cgi?id=1269637


+++ This bug was initially created as a clone of Bug #1281901 +++

Description of problem: 
I tried to add letsencrypt certificate to openshift. I uploaded cert.pem + chain.pem + priv.pem and I got https working, but with B rating and chain incomplete message. When I used only fullchain.pem + priv.pem https worked and I got A record - chain was complete. More info can be found here - https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665


Version-Release number of selected component (if applicable): Openshift v2


How reproducible: 
Apply letsencrypt certificate to openshift v2 using cert.pem + chain.pem + priv.pem

Actual results: 
B rating and chain incomplete


Expected results:
A rating and chain complete


Additional info:

--- Additional comment from Miciah Dashiel Butler Masters on 2015-12-01 11:54:13 EST ---

It is possible that the problem lies in the normalization of encoding, whitespace, etc. that the management console performs when one uploads certificates.  Do you see the same problem when you use the rhc command-line tool instead of the Web-based management console to upload the certificates?

Here is documentation on installing the rhc client tool:   https://developers.openshift.com/en/managing-client-tools.html

Here is documentation on uploading certificates using rhc:   https://developers.openshift.com/en/managing-domains-ssl.html#_command_line_rhc

If you can answer the above question, that will help us narrow down whether the problem is in the management console, our httpd configuration, or possibly somewhere else.  Thanks!

--- Additional comment from lucas0033 on 2015-12-01 12:19:08 EST ---

Hi,
I am missing chain parameter in rhc:

rhc alias update-cert <application_name> <domain_name> --certificate <cert_file> --private-key <key_file>

--- Additional comment from Sally on 2016-01-05 11:48:33 EST ---

I believe one fix will solve this + 2 other current bzs:

https://bugzilla.redhat.com/show_bug.cgi?id=1269637
https://bugzilla.redhat.com/show_bug.cgi?id=1268317

Solution could be to remove the 'SSL Certificate Chain' field in the web console, and to document clearly that cert + chain should be concatenated manually (cert 1st, then chain) and uploaded in the 'SSL Certificate*' field as a 'fullchainfile.pem' OR user should upload the 'fullchain.pem' if SSL cert provider automatically concatenates the cert + chain (letsencrypt does).

This solution makes sense, especially since there is no 'SSL Certificate Chain' upload option in the rhc tool.  The rhc tool options should match the web console options, correct?

--- Additional comment from weiwei jiang on 2016-01-31 22:07:01 EST ---

Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
Comment 4 weiwei jiang 2016-02-26 06:13:48 UTC 
Checked with puddle http://etherpad.corp.redhat.com/puddle-2-2-2016-02-19, and the Certificate Chain Field has been removed.
Also prompt user to upload a cert to concatenate primary and intermediate certs into a single file.
Comment 6 errata-xmlrpc 2016-03-22 16:54:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-0489.html