Bug 1321179

Summary: SSL overcloud deployment fails when the certificate contains the public vip in the SAN extension
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: documentationAssignee: Martin Lopes <mlopes>
Status: CLOSED NEXTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: high Docs Contact:
Priority: medium    
Version: 12.0 (Pike)CC: dbecker, jcoufal, mburns, mcornea, mlopes, morazi, nkinder, rcritten, rhel-osp-director-maint, srevivo
Target Milestone: ---Keywords: Documentation, Triaged
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
OpenStack command-line clients that use `python-requests` can not currently validate certificates that have an IP address in the SAN field.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-06 05:57:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1434114    
Bug Blocks:    
Attachments:
Description Flags
san_ip.crt none

Description Marius Cornea 2016-03-24 20:57:11 UTC 
Created attachment 1140162 [details]
san_ip.crt

Description of problem:
SSL overcloud deployment fails when the certificate contains the public vip in the SAN extension. I updated the enable-tls.yaml to use ip address instead of hostname(sed -i 's/CLOUDNAME/IP_ADDRESS/').

The public VIP of the overcloud is 172.16.23.10. Deployment fails with the following error:

Authorization Failed: SSL exception connecting to https://172.16.23.10:13000/v2.0/tokens: hostname '172.16.23.10' doesn't match either of 'cloudy.net', 'overcloud.cloudy.net'

The certificate contains the SAN extension:
X509v3 Subject Alternative Name: 
    IP Address:172.16.23.10, IP Address:2001:DB8:FD00:1000:0:0:0:10, DNS:cloudy.net, DNS:overcloud.cloudy.net

curl seems to be working:
curl https://172.16.23.10:13000/v2.0/tokens
{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}} 

The overcloud deployment succeeds when using 'cloudy.net' as CloudName so I'd say the certificate validation is successful but I believe the openstack client does not check the IP address in the SAN extenstion. 

According to the RFC this should be suported:
https://tools.ietf.org/html/rfc2818#section-3.1
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch

How reproducible:
100%

Additional info:
Attaching the certificate.
Comment 2 Jaromir Coufal 2016-04-01 12:02:37 UTC 
doc_text for the release please
Comment 3 Mike Burns 2016-04-07 21:36:02 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 4 Juan Antonio Osorio 2016-10-23 09:02:26 UTC 
This should be fixed already.
Comment 5 Juan Antonio Osorio 2016-10-23 09:04:31 UTC 
wait, nevermind, I'll take a look.
Comment 14 Martin Lopes 2017-11-02 00:25:04 UTC 
Working on release notes entry.
Comment 15 Martin Lopes 2017-11-06 05:47:08 UTC 
added 1321179 to release notes:

osp11 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/release_notes/

osp10 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/release_notes/

osp9 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html-single/release_notes/

osp8 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/8/html-single/release_notes/

osp7 - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_openstack_platform/7/html-single/release_notes/
Comment 16 Martin Lopes 2017-11-06 05:57:00 UTC 
Discussed with Ozz, closing bug.