Bug 1449084

Summary: Can't connect to engine web ui with chrome 58 (due to missing subjectAltName)
Product: [oVirt] ovirt-engine Reporter: Daniel Erez <derez>
Component: Setup.EngineAssignee: Dominik Holler <dholler>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.1CC: amarchuk, amureini, bugs, danken, dholler, didi, lsvaty, mkalinin, nsoffer, rhev-integ, sborella
Target Milestone: ovirt-4.1.2Flags: rule-engine: ovirt-4.1+
rule-engine: blocker+
lsvaty: testing_ack+
Target Release: 4.1.2.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Google Chrome 58 does not accept certificates without the attribute subjectAlternativeName properly defined. Consequence: Google chrome displays in browser: "This server could not prove that it is ...; its security certificate is from [missing_subjectAltName]." Fix: During new installation of oVirt, the certificates generated by engine-setup defines the attribute subjectAlternativeName properly. Result: Google Chrome version 58 could be used to access oVirt engine's Web user interface by HTTPS.
 Story Points: ---
Clone Of:
: 1450293 (view as bug list) Environment:
Last Closed: 2017-05-23 08:11:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1430598, 1449503, 1450293, 1450629    

Description Daniel Erez 2017-05-09 08:20:36 UTC 
Description of problem:
Latest Chrome (> 58.0.3029) refuses to accept engine's certificate since subjectAltName is missing.

Error displayed in browser: "This server could not prove that it is ...; its security certificate is from [missing_subjectAltName]."

Version-Release number of selected component (if applicable):
4.1

How reproducible:
100%

Steps to Reproduce:
1. Import certificate in Chrome from: http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA 
2. Navigate to the WebAdmin

Additional info:
* The issue blocks upload image feature, as we require a secured connection for uploading from the browser.
* A suggested fix is already available at: https://gerrit.ovirt.org/#/c/74614/
Comment 1 Red Hat Bugzilla Rules Engine 2017-05-09 08:21:15 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 2 Yedidyah Bar David 2017-05-10 06:45:50 UTC 
There seems to be a workaround for Chrome, for the time being:

https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

See also:

https://www.chromium.org/administrators/linux-quick-start

Didn't try it myself.
Comment 3 Dominik Holler 2017-05-10 14:49:52 UTC 
The two changes 76656 and 74614 ensures that following certificates are generated with the subjectAltName is set: engine name=jboss name=websocket-proxy name=apache name=reports name=imageio-proxy name=ovn-ndb name=ovn-sdb name=ovirt-provider-ovn
but NOT vmconsole-proxy-helper vmconsole-proxy-user vmconsole-proxy-host .

If the vmconsole certificates requires the subjectAltName, further action is required.

No renew of the certificates is enforced during an upgrade.

The certificate file in file system could resigned and this way extended by subjectAltName by: 
share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME
but I do not know how engine could be forced to use the new file.
Comment 4 Sandro Bonazzola 2017-05-10 15:36:35 UTC 
(In reply to Dominik Holler from comment #3)

> No renew of the certificates is enforced during an upgrade.
> 
> The certificate file in file system could resigned and this way extended by
> subjectAltName by: 
> share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss
> --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME
> but I do not know how engine could be forced to use the new file.

didi any insight on this?
Comment 5 Yedidyah Bar David 2017-05-11 13:45:05 UTC 
(In reply to Sandro Bonazzola from comment #4)
> (In reply to Dominik Holler from comment #3)
> 
> > No renew of the certificates is enforced during an upgrade.
> > 
> > The certificate file in file system could resigned and this way extended by
> > subjectAltName by: 
> > share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss
> > --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME
> > but I do not know how engine could be forced to use the new file.
> 
> didi any insight on this?

I suggest to use pki-enroll-pkcs12.sh and not pki-enroll-request.sh - latter is designed to enroll an existing request. It will work, because we do not remove the requests, but since nothing ever uses them and we do not track them, perhaps better recreate.

Tried this and it seems to work:

name=apache

subject="$(openssl x509 -in /etc/pki/ovirt-engine/certs/"${name}".cer -noout -subject | sed 's;subject= \(.*\);\1;')"

. /usr/share/ovirt-engine/bin/engine-prolog.sh

/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="${name}" --password=mypass --subject="${subject}" --keep-key --san=DNS:"${ENGINE_FQDN}"

systemctl restart httpd

Verified that firefox sees the subject alt name, didn't try with chrome.
Comment 6 Yedidyah Bar David 2017-05-11 13:45:53 UTC 
Also, it might make sense to have SAN default to the CN part of subject, so that user does not have to pass it. Perhaps we need another bug for this.
Comment 7 Sandro Bonazzola 2017-05-12 07:29:27 UTC 
(In reply to Yedidyah Bar David from comment #6)
> Also, it might make sense to have SAN default to the CN part of subject, so
> that user does not have to pass it. Perhaps we need another bug for this.

Please open one
Comment 8 rhev-integ 2017-05-12 15:10:29 UTC 
INFO: Bug status wasn't changed from MODIFIED to ON_QA due to the following reason:

[Tag 'ovirt-engine-4.1.2' doesn't contain patch 'https://gerrit.ovirt.org/76656']
gitweb: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/ovirt-engine-4.1.2

For more info please contact: infra
Comment 9 Sandro Bonazzola 2017-05-13 09:16:10 UTC 
(In reply to rhev-integ from comment #8)
> INFO: Bug status wasn't changed from MODIFIED to ON_QA due to the following
> reason:
> 
> [Tag 'ovirt-engine-4.1.2' doesn't contain patch

Wrong tag, please re-run on ovirt-engine-4.1.2.2

> 'https://gerrit.ovirt.org/76656']
> gitweb:
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/
> ovirt-engine-4.1.2
> 
> For more info please contact: infra
Comment 10 Anton Marchukov 2017-05-13 09:56:54 UTC 
Moving to ON_QA as the patch for this bug is included into ovirt-engine-4.1.2.2 tag from which the engine was built.
Comment 11 Yedidyah Bar David 2017-05-14 06:14:10 UTC 
(In reply to Sandro Bonazzola from comment #7)
> (In reply to Yedidyah Bar David from comment #6)
> > Also, it might make sense to have SAN default to the CN part of subject, so
> > that user does not have to pass it. Perhaps we need another bug for this.
> 
> Please open one

Done, bug 1450629.
Comment 13 Jiri Belka 2017-05-15 15:33:22 UTC 
ok, tested with google-chrome-stable-58.0.3029.110-1.x86_64 (no info about missing_subjectAltName).

# openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -text -noout | grep -A 1 'Subject Alternative Name'
            X509v3 Subject Alternative Name: 
                DNS:jbelka-vm1.rhev.lab.eng.brq.redhat.com

[root@jbelka-vm1 ~]# rpm -q ovirt-engine
ovirt-engine-4.1.2.2-0.1.el7.noarch
Comment 15 Red Hat Bugzilla 2023-09-14 03:57:27 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days