Bug 1379841

Summary: Named certificates with SANs cause duplicate name entries when cafile is specified
Product: OpenShift Container Platform Reporter: Andrew Butcher <abutcher>
Component: InstallerAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Wenkai Shi <weshi>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2.1CC: aos-bugs, gpei, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, named certificates which had matching hostnames in CN and subjectAlternativeNames certificate entries would cause duplicate hostnames to be detected and configured in /etc/origin/master/master-config.yaml. This would cause an error and prevent the master from starting. Duplicate hostnames are now correctly removed from detected certificate names.
 Story Points: ---
Clone Of:
: 1379844 (view as bug list) Environment:
Last Closed: 2016-10-03 14:53:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1379844    

Description Andrew Butcher 2016-09-27 20:21:03 UTC 
Description of problem:

Certificates configured as named certificates which have matching hostnames in CN and subjectAlternativeNames fields will cause duplicate names entries to be configured in /etc/origin/master/master-config.yaml when a "cafile" is specified.

Ansible output:
TASK [openshift_master : Start and enable master] ******************************
fatal: [master4.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service atomic-openshift-master: Job for atomic-openshift-master.service failed because the control process exited with error code. See \"systemctl status atomic-openshift-master.se}

Master config section with duplicate names:
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.crt
    keyFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.key
    names:
    - "master.flibberty-jibbet.com"
    - "master.flibberty-jibbet.com"
    - "internal-master.flibberty-jibbet.com"

Journal entry from failed master service:
servingInfo.namedCertificates[0].names[1]: Invalid value: "master.flibberty-jibbet.com": this name is already used in another named certificate


Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-docs-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-roles-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-filter-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-lookup-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-playbooks-3.2.28-1.git.0.5a85fc5.el7.noarch


How reproducible:
Always.


Steps to Reproduce:
1. Create CA and certificates with hostname (eg. master.flibberty-jibbet.com) set as CN and within subjectAlternativeNames.

san.cnf contents:

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Carolina
localityName = Locality Name (eg, city)
localityName_default = Raleigh
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = master.flibberty-jibbet.com
commonName_max        = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = master.flibberty-jibbet.com
DNS.2 = internal-master.flibberty-jibbet.com

commands used to create certificates (be sure to set CN=master.flibberty-jibbet.com):

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 1024 -subj '/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=OpenShift/CN=flibberty-jibbet.com/emailAddress=none/' -out ca.crt
openssl genrsa -out master.flibberty-jibbet.com.key 2048
openssl req -new -out master.flibberty-jibbet.com.csr -key master.flibberty-jibbet.com.key -config san.cnf 
openssl x509 -req -days 3650 -in master.flibberty-jibbet.com.csr -signkey master.flibberty-jibbet.com.key -out master.flibberty-jibbet.com.crt -extensions v3_req -extfile san.cnf

2. Configure host inventory with openshift_master_named_certificates containing certificate, key and CA files.

openshift_master_named_certificates=[{"certfile": "/root/master.flibberty-jibbet.com.crt", "keyfile": "/root/master.flibberty-jibbet.com.key", "cafile": "/root/ca.crt"}]

3. Run openshift-ansible.


Actual results:
Master is unable to start because duplicate names are configured in namedCertificates config section.


Expected results:
Master starts normally (because the list of detected certificate names has been deduped).


Additional info:
Workaround is to set the "names" key in the openshift_master_named_certificate dictionary which will cause openshift-ansible to _not_ detect names in configured certificates. Note that openshift_master_overwrite_named_certificates=true must also be set in order to remove older named certificate config sections.
Comment 1 Scott Dodson 2016-09-27 20:23:54 UTC 
Fixed in master then picked into release-1.3 https://github.com/openshift/openshift-ansible/pull/2510
Comment 3 Wenkai Shi 2016-09-29 11:19:29 UTC 
Verify this bug with openshift-ansible-3.3.28.1.git.0.762256b.el7

Prepare named certificates as required:
ca.crt  master.example.com.crt  master.example.com.key

result is listed here:

[root@local-vm ~]#  openssl x509 -in master.example.com.crt -text
Certificate:
...
        Subject: C=US, ST=North Carolina, L=Raleigh, OU=OpenShift, CN=master.example.com
...
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:master.example.com, DNS:internal-master.example.com
...

[root@master ~]# cat /etc/origin/master/master-config.yaml
...
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master.example.com.crt
    keyFile: /etc/origin/master/named_certificates/master.example.com.key
    names:
    - "internal-master.example.com"
    - "master.example.com"
...
Comment 5 errata-xmlrpc 2016-10-03 14:53:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1983