Bug 1446046

Summary: glusterd: TLS verification fails when using intermediate CA instead of self-signed certificates
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Siddharth Sharma <sisharma>
Component: coreAssignee: Mohit Agrawal <moagrawa>
Status: CLOSED ERRATA QA Contact: Bala Konda Reddy M <bmekala>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rhgs-3.2CC: amukherj, atumball, mchangir, moagrawa, rcyriac, rhinduja, rhs-bugs, sheggodu, sisharma, srmukher, storage-qa-internal, vbellur, yjog
Target Milestone: ---   
Target Release: RHGS 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ssl
Fixed In Version: glusterfs-3.12.2-7 Doc Type: If docs needed, set a value
Doc Text:
Earlier to configure ssl-cert-depth option parameter needs to set in /etc/glusterfs/glusterd.vol but after apply the patch parameter (transport.socket.ssl-cert-depth) needs to be set in /var/lib/glusterd/secure-access. This parameter is useful only while management Secure Sockets Layer is enabled.
 Story Points: ---
Clone Of:
: 1555154 (view as bug list) Environment:
Last Closed: 2018-09-04 06:32:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1555154    
Bug Blocks: 1503134    

Comment 25 Bala Konda Reddy M 2018-08-23 15:04:49 UTC 
Build: 3.12.2-16

1. On a three glusterd nodes stopped the glusterd
2. Added the root ca and intermediate ca to glusterfs.ca to /etc/ssl/glusterfs.ca
3. copied root ca, ~]# rca.crt /etc/pki/ca-trust/source/anchors on all the gluster nodes
4. Updated the certs ~]# update-ca-trust
5. Created secure-access file in /var/lib/glusterd/secure-access and added the "option transport.socket.ssl-cert-depth 2"
6. Started glusterd.
7. Performed peer probe, created volume, started and mounted ran iozone.
8. Tried to mounted on non-ssl nodes, it failed as expected
9. Tried to peer probe to non-ssl nodes, it failed as expected

Hence moving to verified
Comment 27 errata-xmlrpc 2018-09-04 06:32:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2607
Comment 28 Red Hat Bugzilla 2023-09-14 03:57:04 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days