Bug 1408129
| Summary: | [Backport] Change haproxy router to use a certificate list/map file. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Carsten Lichy-Bittendorf <clichybi> |
| Component: | Networking | Assignee: | Ram Ranganathan <ramr> |
| Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | aos-bugs, bbennett, bperkins, knakayam, ramr, sjr, tdawson |
| Version: | 3.3.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 3.3.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, the haproxy router config used to specify the directory from where certificates would be used for serving. Based on the SNI header, haproxy would pick up the first certificate that matched the secure request and use that as the serving certificate. This was an indeterministic method if multiple routes specified the same certificate/expired versions of the same certificate. The backport/fix now uses a new map and serves the certificate based on the SNI header/host in a deterministic fashion.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-22 18:10:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Carsten Lichy-Bittendorf
2016-12-22 08:50:44 UTC
Backported https://github.com/openshift/origin/pull/11217 to OSE 3.3 The OSE 3.3 specific PR is: https://github.com/openshift/ose/pull/578 since this PR https://github.com/openshift/ose/pull/578 has not been merged. so mark this bug to 'assigned' for now. feel free to change back to 'ON_QA' once it is merged to OCP 3.3 This has been merged into ocp and is in OCP v3.3.1.13 or newer. hi, tested this bug on OCP v3.3.1.13 , the router cannot be running with the following logs. E0209 07:13:26.497584 1 ratelimiter.go:52] error creating config file /var/lib/haproxy/conf/cert_config.map: open /var/lib/haproxy/conf/cert_config.map: permission denied @Troy, that looks the Dockerfile changes were not picked up. There is a change to the Dockerfile to touch/create the cert_config.map file. Thx @Ram You are correct. I'm sorry about that. I have updated the Dockerfile, making sure it's correct and rebuilt the image. openshift3/ose-haproxy-router:v3.3.1.13-3 It should be available in all the usual testing areas. Verified this bug on 3.3.1.13 with haproxy image id(726deac0cf76), it works well steps: 1. Create app and edge/reencrypt route with custom cert 2. Check the route can work well 3. check the cert_config.map in haproxy pod cat cert_config.map /var/lib/haproxy/router/certs/z1_reencrypt-route-no-path.pem reen.example.com /var/lib/haproxy/router/certs/z1_edge-route-no-path.pem edge.example.com Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0289 *** Bug 1428233 has been marked as a duplicate of this bug. *** |