Bug 1450293

Summary: After upgrade still can't connect to engine web ui with chrome 58 (due to missing subjectAltName)
Product: [oVirt] ovirt-engine Reporter: Dominik Holler <dholler>
Component: Setup.EngineAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.1CC: amureini, apinnick, bugs, danken, derez, dholler, didi, jbelka, lsvaty, mkalinin, nsoffer, pstehlik, rhodain, stirabos, ylavi
Target Milestone: ovirt-4.1.4Flags: rule-engine: ovirt-4.1+
rule-engine: exception+
lsvaty: testing_ack+
Target Release: 4.1.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Newer browsers require the subjectAltName extension in certificates for HTTPS. Previously (version 4.1.2 and later), engine-setup created certificates with subjectAltName for new setups, but did not update existing certificates during upgrade. Now engine-setup can add subjectAltName to existing internal certificates, so that newer browsers will accept them.
 Story Points: ---
Clone Of: 1449084 Environment:
Last Closed: 2017-07-28 14:18:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1449084    
Bug Blocks: 1430598, 1449503, 1471461    

Description Dominik Holler 2017-05-12 07:53:53 UTC 
During upgrade, engine's certificates may not extended by the subjectAltName during the execution of engine-setup. So latest Chrome (> 58.0.3029) still refuses to accept engine's certificate since subjectAltName is missing even after upgrade.

The upgrade is not handled by the changes related to bug #1449084.

+++ This bug was initially created as a clone of Bug #1449084 +++

Description of problem:
Latest Chrome (> 58.0.3029) refuses to accept engine's certificate since subjectAltName is missing.

Error displayed in browser: "This server could not prove that it is ...; its security certificate is from [missing_subjectAltName]."

Version-Release number of selected component (if applicable):
4.1

How reproducible:
100%

Steps to Reproduce:
1. Import certificate in Chrome from: http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA 
2. Navigate to the WebAdmin

Additional info:
* The issue blocks upload image feature, as we require a secured connection for uploading from the browser.
* A suggested fix is already available at: https://gerrit.ovirt.org/#/c/74614/

--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-05-09 04:21:15 EDT ---

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.

--- Additional comment from Yedidyah Bar David on 2017-05-10 02:45:50 EDT ---

There seems to be a workaround for Chrome, for the time being:

https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

See also:

https://www.chromium.org/administrators/linux-quick-start

Didn't try it myself.

--- Additional comment from Dominik Holler on 2017-05-10 10:49:52 EDT ---

The two changes 76656 and 74614 ensures that following certificates are generated with the subjectAltName is set: engine name=jboss name=websocket-proxy name=apache name=reports name=imageio-proxy name=ovn-ndb name=ovn-sdb name=ovirt-provider-ovn
but NOT vmconsole-proxy-helper vmconsole-proxy-user vmconsole-proxy-host .

If the vmconsole certificates requires the subjectAltName, further action is required.

No renew of the certificates is enforced during an upgrade.

The certificate file in file system could resigned and this way extended by subjectAltName by: 
share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME
but I do not know how engine could be forced to use the new file.

--- Additional comment from Sandro Bonazzola on 2017-05-10 11:36:35 EDT ---

(In reply to Dominik Holler from comment #3)

> No renew of the certificates is enforced during an upgrade.
> 
> The certificate file in file system could resigned and this way extended by
> subjectAltName by: 
> share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss
> --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME
> but I do not know how engine could be forced to use the new file.

didi any insight on this?

--- Additional comment from Yedidyah Bar David on 2017-05-11 09:45:05 EDT ---

(In reply to Sandro Bonazzola from comment #4)
> (In reply to Dominik Holler from comment #3)
> 
> > No renew of the certificates is enforced during an upgrade.
> > 
> > The certificate file in file system could resigned and this way extended by
> > subjectAltName by: 
> > share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss
> > --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME
> > but I do not know how engine could be forced to use the new file.
> 
> didi any insight on this?

I suggest to use pki-enroll-pkcs12.sh and not pki-enroll-request.sh - latter is designed to enroll an existing request. It will work, because we do not remove the requests, but since nothing ever uses them and we do not track them, perhaps better recreate.

Tried this and it seems to work:

name=apache

subject="$(openssl x509 -in /etc/pki/ovirt-engine/certs/"${name}".cer -noout -subject | sed 's;subject= \(.*\);\1;')"

. /usr/share/ovirt-engine/bin/engine-prolog.sh

/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="${name}" --password=mypass --subject="${subject}" --keep-key --san=DNS:"${ENGINE_FQDN}"

systemctl restart httpd

Verified that firefox sees the subject alt name, didn't try with chrome.

--- Additional comment from Yedidyah Bar David on 2017-05-11 09:45:53 EDT ---

Also, it might make sense to have SAN default to the CN part of subject, so that user does not have to pass it. Perhaps we need another bug for this.

--- Additional comment from Sandro Bonazzola on 2017-05-12 03:29:27 EDT ---

(In reply to Yedidyah Bar David from comment #6)
> Also, it might make sense to have SAN default to the CN part of subject, so
> that user does not have to pass it. Perhaps we need another bug for this.

Please open one
Comment 1 Red Hat Bugzilla Rules Engine 2017-05-12 07:54:11 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 2 Jiri Belka 2017-07-14 08:21:16 UTC 
ok, rhevm-4.1.4.1-0.1.el7.noarch

~~~
# openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -text -noout | grep -A 1 'Subject Alternative Name'                                                               
# engine-setup
          --== PKI CONFIGURATION ==--
         
          One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers.
          If you choose "No", you will be asked again the next time you run Setup.
          See https://access.redhat.com/solutions/1572983 for more details.
          Renew certificates? (Yes, No) [No]: Yes
...
[ INFO  ] Upgrading CA
...
[ INFO  ] Restarting httpd
          Web access is enabled at:
...
          Internal CA 8C:2E:3A:81:7B:FD:F1:A8:95:74:4F:E5:32:5E:8C:6D:EA:CB:CA:FD
...
[ INFO  ] Execution of setup completed successfully
# openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -text -noout | grep -A 1 'Subject Alternative Name'
            X509v3 Subject Alternative Name: 
                DNS:jbelka-vm4.example.com

~~~

tested with gChrome 59.0.3071.115