Bug 1382824

Summary: SSL update not working
Product: OpenShift Online Reporter: Jack <jack>
Component: RoutingAssignee: Rory Thrasher <rthrashe>
Status: CLOSED NOTABUG QA Contact: zhaozhanqi <zzhao>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 2.xCC: agrimm, aos-bugs, jokerman, mmccomas, rthrashe
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-10 20:30:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
combined.pem file none

Description Jack 2016-10-07 20:16:09 UTC 
Description of problem:
Trying to update SSL certificate and while it claims success I still get errors when trying to enter the site http://truthmapping.com
The site is blocked.


Version-Release number of selected component (if applicable):


How reproducible:
Very


Steps to Reproduce:
1. Got cert info from SSL.com

2. Concatenated all cert files in order specified by ssl.com:
cat truthmapping_com.crt SSLcomDVCA_2.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt > combined.pem

3. Installed as instructed:
rhc alias update-cert live truthmapping.com --certificate combined.pem --private-key truthmapping.com.key --passphrase PHRASE

Got this result: SSL certificate successfully added.

4. rhc app restart live

5. Still claims site has expired:
http://www.ssltools.com/?url=www.truthmapping.com

Please see this bug for very similar issues that this same site had 2 years ago:
https://bugzilla.redhat.com/show_bug.cgi?id=1149901



Expected results:


Additional info:
Comment 1 Jack 2016-10-07 21:50:31 UTC 

Spoke with SSL.com and they said that my apache is referencing the old SSL certificate and that the apache httpd.conf file needs modified to point to the new certificate.  Do I need to do that in some way?
Comment 2 Rory Thrasher 2016-10-07 22:43:18 UTC 
Hi Jack,

I'm going to get operations to look at your account and see if theres anything in the logs that points to a false success from rhc.  The `rhc alias update-cert` command you used looks correct and should update to use the new cert.

Can you upload your combined.pem so I can make sure it is valid?
Comment 3 Jack 2016-10-07 22:46:38 UTC 
Created attachment 1208271 [details]
combined.pem file

Attaching pem file as Rory requested.
Comment 4 Jack 2016-10-07 22:47:28 UTC 
Rory, what about Comment 2? 
https://bugzilla.redhat.com/show_bug.cgi?id=1382824#c2
Comment 5 Jack 2016-10-07 22:48:38 UTC 
Sorry, meant what about Comment 1?
Comment 6 Rory Thrasher 2016-10-07 23:28:21 UTC 
For Comment 1, that should be taken care of by rhc.

I think you're adding some certs that shouldn't be in the intermediate chain when you are creating combined.pem.

Can you try `cat truthmapping_com.crt SSLcomDVCA_2.crt > combined.pem` and then using rhc to update using that file?
Comment 7 Jack 2016-10-08 00:16:39 UTC 
Tried just the two .crts in the pem file, installed (claimed success), restarted and no change in the result.
Comment 8 Jack 2016-10-10 15:34:16 UTC 
Other thoughts?  The site currently has an expired certificate.  Thanks.
Comment 9 Andy Grimm 2016-10-10 17:12:47 UTC 
It looks like you updated the certificate for truthmapping.com, but not www.truthmapping.com -- the url having the problem is the latter.
Comment 10 Jack 2016-10-10 19:54:07 UTC 
Adding the www. is all that it needed.  Thanks!
Comment 11 Rory Thrasher 2016-10-10 20:30:41 UTC 
Glad to hear its working!  I'm going to go ahead and close this bug - please feel free to reopen it if need be.