Bug 1389165

Summary:

Extended Route Validation Breaks Included Templates

Product:

OpenShift Container Platform

Reporter:

Andrew Block <andrew.block>

Component:

Networking

Assignee:

Ram Ranganathan <ramr>

Networking sub component:

router

QA Contact:

zhaozhanqi <zzhao>

Status:

CLOSED ERRATA

Docs Contact:

Severity:

high

Priority:

unspecified

CC:

aos-bugs, bbennett, bleanhar, bmeng, eseymour, jkaur, jliggitt, mcurry, ramr, rfoyle, rsoares, stwalter, tdawson, zhezli

Version:

3.3.0

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Cause: The extended certificate validation code (now enabled by default) would not allow some certificates that should be considered valid. Consequence: Self-signed, expired, or not yet current certificates that were otherwise well-formed would be rejected. Fix: The extended validation was changed to allow those cases. Result: Those types of certificates are now allowed.

Story Points:

---

Clone Of:

Clones:

1415280 (view as bug list)

Environment:

Last Closed:

2017-01-18 12:46:38 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1415280

Attachments:

Description	Flags
Jenkins Route	none

Description Andrew Block 2016-10-27 05:29:19 UTC

Created attachment 1214488 [details]
Jenkins Route

Description of problem:

Enabling extended route validation causes built in OpenShift templates to fail validation and not be admitted to the router. 

Version-Release number of selected component (if applicable):
OpenShift Container Platform 3.3.0.32

How reproducible:
Always

Steps to Reproduce:
1. Create a new Test Project (oc new-project jenkins)
2. Enable extended route validation on the router (oc env -n default dc/router EXTENDED_VALIDATION=true)
3. Deploy the jenkins-ephemeral image (oc new-app --template=jenkins-ephemeral

Actual results:

Application is deployed, but the route is has status ExtendedValidationFailed when running "oc get routes"

NAME      HOST/PORT                  PATH      SERVICES   PORT      TERMINATION
jenkins   ExtendedValidationFailed             jenkins    <all>     edge/Redirect

Describing the route provides additional context into why it was not admitted to the router:

# oc describe route jenkins

Name:		jenkins
Namespace:	jenkins
Created:	4 minutes ago
Labels:		app=jenkins-ephemeral
		template=jenkins-ephemeral-template
Annotations:	openshift.io/generated-by=OpenShiftNewApp
		openshift.io/host.generated=true
Requested Host:	jenkins-jenkins.cloudapps-af35.oslab.opentlc.com
		  rejected by router router: ExtendedValidationFailed (4 minutes ago)
		    
  - spec.tls.certificate: Invalid value: "-----BEGIN CERTIFICATE-----\nMIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCVVMx\nCzAJBgNVBAgMAlNDMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0Rl\nZmF1bHQgQ29tcGFueSBMdGQxEDAOBgNVBAsMB1Rlc3QgQ0ExGjAYBgNVBAMMEXd3\ndy5leGFtcGxlY2EuY29tMSIwIAYJKoZIhvcNAQkBFhNleGFtcGxlQGV4YW1wbGUu\nY29tMB4XDTE1MDExMjE0MTk0MVoXDTE2MDExMjE0MTk0MVowfDEYMBYGA1UEAwwP\nd3d3LmV4YW1wbGUuY29tMQswCQYDVQQIDAJTQzELMAkGA1UEBhMCVVMxIjAgBgkq\nhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20xEDAOBgNVBAoMB0V4YW1wbGUx\nEDAOBgNVBAsMB0V4YW1wbGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrv\ngu6ZTTefNN7jjiZbS/xvQjyXjYMN7oVXv76jbX8gjMOmg9m0xoVZZFAE4XyQDuCm\n47VRx5Qrf/YLXmB2VtCFvB0AhXr5zSeWzPwaAPrjA4ebG+LUo24ziS8KqNxrFs1M\nmNrQUgZyQC6XIe1JHXc9t+JlL5UZyZQC1IfaJulDAgMBAAGjDTALMAkGA1UdEwQC\nMAAwDQYJKoZIhvcNAQEFBQADggEBAFCi7ZlkMnESvzlZCvv82Pq6S46AAOTPXdFd\nTMvrh12E1sdVALF1P1oYFJzG1EiZ5ezOx88fEDTW+Lxb9anw5/KJzwtWcfsupf1m\nV7J0D3qKzw5C1wjzYHh9/Pz7B1D0KthQRATQCfNf8s6bbFLaw/dmiIUhHLtIH5Qc\nyfrejTZbOSP77z8NOWir+BWWgIDDB2//3AkDIQvT20vmkZRhkqSdT7et4NmXOX/j\njhPti4b2Fie0LeuvgaOdKjCpQQNrYthZHXeVlOLRhMTSk3qUczenkKTOhvP7IS9q\n+Dzv5hqgSfvMG392KWh5f8xXfJNs4W5KLbZyl901MeReiLrPH3w=\n-----END CERTIFICATE-----": error verifying certificate: x509: certificate has expired or is not yet valid
Path:			<none>
TLS Termination:	edge
Insecure Policy:	Redirect
Endpoint Port:		<all endpoint ports>

Service:	jenkins
Weight:		100 (100%)
Endpoints:	10.1.1.4:8080

Expected results:

The route is created successfully and has been admitted to the router

Additional info:

Comment 1 Jordan Liggitt 2016-10-27 06:11:59 UTC

we want to check well-formedness, but I don't think we want to prevent a route with an expired cert, or a self-signed cert

Comment 2 Jordan Liggitt 2016-11-01 15:47:46 UTC

Things that should fail extended validation:

* cert/key mismatch
* cert parse error
* key parse error
* ca parse error


Things that should not prevent the route from accepting (but would maybe be nice to warn about in route status via conditions or something):

* expired / not-yet-valid cert (verify haproxy is happy serving with an expired cert)
* self-signed cert / unknown signing authority cert
* mismatch between cert CN/SANs and route host

Things I'm unsure about:
* extended key usage - TLS Server Auth (find out if this breaks routers if not present)


We cannot enable extended validation by default until those last three cases are tolerated... they'll break existing routes

Comment 3 Ram Ranganathan 2016-11-01 23:37:45 UTC

PR: https://github.com/openshift/origin/pull/11716

Comment 4 Ram Ranganathan 2016-11-01 23:37:56 UTC

Fixed in PR: https://github.com/openshift/origin/pull/11716

Comment 5 Ben Bennett 2016-11-09 13:53:05 UTC

*** Bug 1393305 has been marked as a duplicate of this bug. ***

Comment 6 Troy Dawson 2016-11-09 19:54:55 UTC

This has been merged into ose and is in OSE v3.4.0.24 or newer.

Comment 8 zhaozhanqi 2016-11-10 03:38:52 UTC

Verified this bug on 
 openshift version
openshift v3.4.0.24+52fd77b
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0

jenkins route will be as correct.

oc get route

jenkins            jenkins-default.1110-z7p.qe.rhcloud.com                      jenkins            <all>              edge/Redirect

and all expired routes will not be as 'ExtendedValidationFailed'

Comment 9 Steven Walter 2016-11-14 18:20:20 UTC

Customer is requesting and would like to know the potential for a backport to 3.2?

Comment 10 Ram Ranganathan 2016-11-17 00:17:41 UTC

@Steven will let Ben answer on that. @Ben ?

The changeset is restricted to a file (the other's just the tests), so the backport is probably not that onerous - it is a couple of releases back though.

Comment 11 Ben Bennett 2016-11-17 21:10:32 UTC

@ram: did 3.2 even have the extended validation?

Comment 12 Ram Ranganathan 2016-11-17 21:43:26 UTC

@Ben, oooh good point - no it didn't.
The PR was circa April 2016 but merged after that so it was post OSE 3.2 - would need this PR https://github.com/openshift/origin/pull/8366 to be backported as well.

Comment 25 Ram Ranganathan 2017-01-12 22:33:43 UTC

Associated tracker bugz for 

   3.3: https://bugzilla.redhat.com/show_bug.cgi?id=1412829 

   3.2: https://bugzilla.redhat.com/show_bug.cgi?id=1412830

Comment 27 errata-xmlrpc 2017-01-18 12:46:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066

Comment 28 Ed Seymour 2017-02-20 11:53:08 UTC

*** Bug 1424484 has been marked as a duplicate of this bug. ***