Bug 1316698
| Summary: | Re-Encrypt Termination destinationCACertificate ca-file not created when route does not include key and cert | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ryan Howe <rhowe> |
| Component: | Networking | Assignee: | Ram Ranganathan <ramr> |
| Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | unspecified | CC: | aos-bugs, misalunk, nicholas_schuetz, tdawson, zisis.lianas |
| Version: | 3.1.0 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-12 16:32:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Same issue: https://github.com/openshift/origin/issues/7444 verified this bug on origin (devenv_rhel_3734) with version
oc v1.1.4-16-gb5da002
kubernetes v1.2.0-origin-41-g91d3e75
openshift/origin-haproxy-router latest e5fb8a74d31b 14 hours ago 417.4 MB
steps:
1. create default-cert file 'cloudapps.router.pem' and it is uing '*.example2.com'
# openssl x509 -in cloudapps.router.pem -noout -text |grep -i "subject:"
Subject: CN=*.example2.com
2.Create router with --default-cert cloudapps.router.pem
3. Create app/service/route
cat reencry.json
{
"kind": "Route",
"apiVersion": "v1",
"metadata": {
"name": "route-reencrypt"
},
"spec": {
"host": "www.example2.com",
"to": {
"kind": "Service",
"name": "hello-nginx"
},
"tls": {
"termination": "reencrypt",
"destinationCACertificate": "-----BEGIN CERTIFICATE-----\nMIIEFzCCAv+gAwIBAgIJALK1iUpF2VQLMA0GCSqGSIb3DQEBBQUAMIGhMQswCQYD\nVQQGEwJVUzELMAkGA1UECAwCU0MxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoG\nA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEQMA4GA1UECwwHVGVzdCBDQTEaMBgG\nA1UEAwwRd3d3LmV4YW1wbGVjYS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVA\nZXhhbXBsZS5jb20wHhcNMTUwMTEyMTQxNTAxWhcNMjUwMTA5MTQxNTAxWjCBoTEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlNDMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkx\nHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEDAOBgNVBAsMB1Rlc3QgQ0Ex\nGjAYBgNVBAMMEXd3dy5leGFtcGxlY2EuY29tMSIwIAYJKoZIhvcNAQkBFhNleGFt\ncGxlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nw2rK1J2NMtQj0KDug7g7HRKl5jbf0QMkMKyTU1fBtZ0cCzvsF4CqV11LK4BSVWaK\nrzkaXe99IVJnH8KdOlDl5Dh/+cJ3xdkClSyeUT4zgb6CCBqg78ePp+nN11JKuJlV\nIG1qdJpB1J5O/kCLsGcTf7RS74MtqMFo96446Zvt7YaBhWPz6gDaO/TUzfrNcGLA\nEfHVXkvVWqb3gqXUztZyVex/gtP9FXQ7gxTvJml7UkmT0VAFjtZnCqmFxpLZFZ15\n+qP9O7Q2MpsGUO/4vDAuYrKBeg1ZdPSi8gwqUP2qWsGd9MIWRv3thI2903BczDc7\nr8WaIbm37vYZAS9G56E4+wIDAQABo1AwTjAdBgNVHQ4EFgQUugLrSJshOBk5TSsU\nANs4+SmJUGwwHwYDVR0jBBgwFoAUugLrSJshOBk5TSsUANs4+SmJUGwwDAYDVR0T\nBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaMJ33zAMV4korHo5aPfayV3uHoYZ\n1ChzP3eSsF+FjoscpoNSKs91ZXZF6LquzoNezbfiihK4PYqgwVD2+O0/Ty7UjN4S\nqzFKVR4OS/6lCJ8YncxoFpTntbvjgojf1DEataKFUN196PAANc3yz8cWHF4uvjPv\nWkgFqbIjb+7D1YgglNyovXkRDlRZl0LD1OQ0ZWhd4Ge1qx8mmmanoBeYZ9+DgpFC\nj9tQAbS867yeOryNe7sEOIpXAAqK/DTu0hB6+ySsDfMo4piXCc2aA/eI2DCuw08e\nw17Dz9WnupZjVdwTKzDhFgJZMLDqn37HQnT6EemLFqbcR0VPEnfyhDtZIQ==\n-----END CERTIFICATE-----"
}
}
}
4. Check the route
# curl --resolve www.example2.com:443:127.0.0.1 https://www.example2.com --cacert /root/cloudapps.router.pem
Hello World
since this bug reported in 'OSE', so firstly changed to status to 'modify' now, please help update to 'ON_QA' once it is merged to OSE. I will verify it.thanks
This should be in the v3.2.0.4 build which was created today. verified this bug on with steps comment 3 using the following version # oc version oc v3.2.0.4 kubernetes v1.2.0-origin-41-g91d3e75 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:1064 |
Description of problem: When a Re-Encrypt Termination route is created the ca-file not created in /var/lib/containers/router/cacerts/<PROJECT><ROUTE_NAME> when created with only destinationCACertificate, cert and key are not included due to wanting to use the routers "--default-cert" Version-Release number of selected component (if applicable): 3.1.1.6 How reproducible: 100% Steps to Reproduce: 1. Create route [1] 2. `oc rsh router` 3. $ grep bug haproxy.config backend be_secure_default_bug-reencrypt cookie OPENSHIFT_REENCRYPT_default_bug-reencrypt_SERVERID insert indirect nocache httponly secure server 10.1.5.18:5000 10.1.5.18:5000 ssl check inter 5000ms verify required ca-file /var/lib/containers/router/cacerts/default_bug-reencrypt.pem cookie 10.1.5.18:5000 4.ll /var/lib/containers/router/cacerts/ -a total 8 drwxrwxrwx. 2 root root 37 Mar 10 14:33 . drwxrwxrwx. 4 root root 50 Mar 9 10:29 .. -rw-r--r--. 1 root root 4109 Mar 10 14:33 default_test-secured.pem Actual results: [ALERT] 056/103231 (25235) : Proxy 'default_bug-reencrypt', server '10.1.0.66:8443' [/var/lib/haproxy/conf/haproxy.config:302] unable to load CA file '/var/lib/containers/router/cacerts/default_bug-reencrypt.pem'. [ALERT] 056/103231 (25235) : Fatal errors found in configuration. Expected results: Work with the default certs and the supplied destinationCACertificate for a Re-Encrypt Termination route Additional info: [1] BUG route object $ oc get route bug-reencrypt -o yaml apiVersion: v1 items: - apiVersion: v1 kind: Route metadata: creationTimestamp: 2016-03-10T19:39:30Z name: bug-reencrypt namespace: default resourceVersion: "1199068" selfLink: /oapi/v1/namespaces/default/routes/bug-reencrypt uid: ce9d4308-e6f7-11e5-ae52-fa163eb4e380 spec: host: www.bug.com tls: destinationCACertificate: |- -----BEGIN CERTIFICATE----- XXXXXX CONTENTS HERE XXXXXX -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- XXXXXX CONTENTS HERE XXXXXX -----END CERTIFICATE----- termination: reencrypt to: kind: Service name: docker-registry status: {} [2] Control Test to ensure it works when including all data: # oc route get test-secured -o yaml apiVersion: v1 kind: Route metadata: creationTimestamp: 2016-03-10T18:57:48Z name: test-secured namespace: default resourceVersion: "1194643" selfLink: /oapi/v1/namespaces/default/routes/test-secured uid: fb8d2884-e6f1-11e5-ae52-fa163eb4e380 spec: host: www.test.com tls: certificate: |- -----BEGIN CERTIFICATE----- XXXXXX CONTENTS HERE XXXXXX destinationCACertificate: |- -----BEGIN CERTIFICATE----- XXXXXX CONTENTS HERE XXXXXX -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- XXXXXX CONTENTS HERE XXXXXX -----END CERTIFICATE----- key: |- -----BEGIN PRIVATE KEY----- XXXXXX CONTENTS HERE XXXXXX -----END PRIVATE KEY----- termination: reencrypt to: kind: Service name: docker-registry status: {} kind: List metadata: {} $ ll /var/lib/containers/router/cacerts/ -a total 8 drwxrwxrwx. 2 root root 37 Mar 10 14:33 . drwxrwxrwx. 4 root root 50 Mar 9 10:29 .. -rw-r--r--. 1 root root 4109 Mar 10 14:33 default_test-secured.pem $ oc rsh -n default router-5-6wo5k [root@rnode5 conf]# grep "test-secured" haproxy.config backend be_secure_default_test-secured cookie OPENSHIFT_REENCRYPT_default_test-secured_SERVERID insert indirect nocache httponly secure server 10.1.5.18:5000 10.1.5.18:5000 ssl check inter 5000ms verify required ca-file /var/lib/containers/router/cacerts/default_test-secured.pem cookie 10.1.5.18:5000