Bug 1379844

Summary: Named certificates with SANs cause duplicate name entries when cafile is specified
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: InstallerAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Wenkai Shi <weshi>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2.1CC: abutcher, aos-bugs, gpei, jialiu, jokerman, mmccomas
Target Milestone: ---   
Target Release: 3.2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, named certificates which had matching hostnames in CN and subjectAlternativeNames certificate entries would cause duplicate hostnames to be detected and configured in /etc/origin/master/master-config.yaml. This would cause an error and prevent the master from starting. Duplicate hostnames are now correctly removed from detected certificate names.
 Story Points: ---
Clone Of: 1379841 Environment:
Last Closed: 2016-10-03 14:52:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1379841    
Bug Blocks:    

Description Scott Dodson 2016-09-27 20:24:34 UTC 
+++ This bug was initially created as a clone of Bug #1379841 +++

Description of problem:

Certificates configured as named certificates which have matching hostnames in CN and subjectAlternativeNames fields will cause duplicate names entries to be configured in /etc/origin/master/master-config.yaml when a "cafile" is specified.

Ansible output:
TASK [openshift_master : Start and enable master] ******************************
fatal: [master4.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service atomic-openshift-master: Job for atomic-openshift-master.service failed because the control process exited with error code. See \"systemctl status atomic-openshift-master.se}

Master config section with duplicate names:
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.crt
    keyFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.key
    names:
    - "master.flibberty-jibbet.com"
    - "master.flibberty-jibbet.com"
    - "internal-master.flibberty-jibbet.com"

Journal entry from failed master service:
servingInfo.namedCertificates[0].names[1]: Invalid value: "master.flibberty-jibbet.com": this name is already used in another named certificate


Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-docs-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-roles-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-filter-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-lookup-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-playbooks-3.2.28-1.git.0.5a85fc5.el7.noarch


How reproducible:
Always.


Steps to Reproduce:
1. Create CA and certificates with hostname (eg. master.flibberty-jibbet.com) set as CN and within subjectAlternativeNames.

san.cnf contents:

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Carolina
localityName = Locality Name (eg, city)
localityName_default = Raleigh
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = master.flibberty-jibbet.com
commonName_max        = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = master.flibberty-jibbet.com
DNS.2 = internal-master.flibberty-jibbet.com

commands used to create certificates (be sure to set CN=master.flibberty-jibbet.com):

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 1024 -subj '/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=OpenShift/CN=flibberty-jibbet.com/emailAddress=none/' -out ca.crt
openssl genrsa -out master.flibberty-jibbet.com.key 2048
openssl req -new -out master.flibberty-jibbet.com.csr -key master.flibberty-jibbet.com.key -config san.cnf 
openssl x509 -req -days 3650 -in master.flibberty-jibbet.com.csr -signkey master.flibberty-jibbet.com.key -out master.flibberty-jibbet.com.crt -extensions v3_req -extfile san.cnf

2. Configure host inventory with openshift_master_named_certificates containing certificate, key and CA files.

openshift_master_named_certificates=[{"certfile": "/root/master.flibberty-jibbet.com.crt", "keyfile": "/root/master.flibberty-jibbet.com.key", "cafile": "/root/ca.crt"}]

3. Run openshift-ansible.


Actual results:
Master is unable to start because duplicate names are configured in namedCertificates config section.


Expected results:
Master starts normally (because the list of detected certificate names has been deduped).


Additional info:
Workaround is to set the "names" key in the openshift_master_named_certificate dictionary which will cause openshift-ansible to _not_ detect names in configured certificates. Note that openshift_master_overwrite_named_certificates=true must also be set in order to remove older named certificate config sections.

--- Additional comment from Scott Dodson on 2016-09-27 16:23:54 EDT ---

Fixed in master then picked into release-1.3 https://github.com/openshift/openshift-ansible/pull/2510
Comment 1 Scott Dodson 2016-09-27 20:25:27 UTC 
Backported to release-1.2 https://github.com/openshift/openshift-ansible/pull/2509
Comment 3 Gaoyun Pei 2016-09-29 11:12:38 UTC 
Verify this bug with openshift-ansible-3.2.33-1.git.0.899bad8.el7.noarch.rpm

Prepare named certificates as required:
ca.crt  master.example.com.crt  master.example.com.key

[root@jenkins-slave-1 slave1]# openssl x509 -in master.example.com.crt -text
Certificate:
...
        Subject: C=US, ST=North Carolina, L=Raleigh, OU=OpenShift, CN=master.example.com
...
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:master.example.com, DNS:internal-master.example.com

master.example.com shown in both of CN and subjectAlternativeNames fields

During installation, master was configured correctly in master-config.yaml, and installation was successful.

  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master.example.com.crt
    keyFile: /etc/origin/master/named_certificates/master.example.com.key
    names:
    - "internal-master.example.com"
    - "master.example.com"
Comment 5 errata-xmlrpc 2016-10-03 14:52:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1984