Bug 1412830

Summary: [3.2] Extended Route Validation Breaks Included Templates
Product: OpenShift Container Platform Reporter: Ram Ranganathan <ramr>
Component: NetworkingAssignee: Ram Ranganathan <ramr>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, bleanhar, bmeng, erich, stwalter
Version: 3.2.1   
Target Milestone: ---   
Target Release: 3.2.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Cause: The extended certificate validation code (now enabled by default) would not allow some certificates that should be considered valid. Consequence: Self-signed, expired, or not yet current certificates that were otherwise well-formed would be rejected. Fix: The extended validation was changed to allow those cases. Result: Those types of certificates are now allowed.
 Story Points: ---
Clone Of:
: 1465059 (view as bug list) Environment:
Last Closed: 2017-01-26 20:43:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1465059    

Description Ram Ranganathan 2017-01-12 22:32:38 UTC 
Backport fixes for bugz https://bugzilla.redhat.com/show_bug.cgi?id=1389165 to 3.2
Comment 2 zhaozhanqi 2017-01-19 09:32:32 UTC 
QE did the testing with ose-haproxy-router:v3.2.1.22

this bug should be fixed

and also did some regression testing for haproxy, no issue found.
Comment 3 zhaozhanqi 2017-01-19 09:34:09 UTC 
sorry, typo

the version should be 'openshift3/ose-haproxy-router:v3.2.1.23'
Comment 4 Eric Rich 2017-01-20 16:18:54 UTC 
If you look at https://access.redhat.com/containers/#/tags/57ea8d0a9c624c035f96f452 this image has not been pushed to the container registry via an errata.
Comment 9 Meng Bo 2017-01-24 08:36:16 UTC 
Tested on OCP 3.2.1.23 with router image b887c3dfe886

The edge route with expired cert can be created successfully.

# oc get route 
NAME      HOST/PORT                                 PATH      SERVICE   TERMINATION     LABELS
jenkins   jenkins-bmengp1.0124-1xt.qe.rhcloud.com             jenkins   edge/Redirect   template=jenkins-ephemeral-template

# openssl x509 -in cert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=SC, L=Default City, O=Default Company Ltd, OU=Test CA, CN=www.exampleca.com/emailAddress=example
        Validity
            Not Before: Jan 12 14:19:41 2015 GMT
            Not After : Jan 12 14:19:41 2016 GMT
        Subject: CN=www.example.com, ST=SC, C=US/emailAddress=example, O=Example, OU=Example
Comment 11 errata-xmlrpc 2017-01-26 20:43:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0199