Bug 1464240
| Summary: | openshift_cert_expiry Can not parse certs with DER encoded Serial Numbers | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Tim Bielawa <tbielawa> | |
| Component: | Installer | Assignee: | Tim Bielawa <tbielawa> | |
| Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 3.6.0 | CC: | aos-bugs, jokerman, mmccomas | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: Hosts missing OpenSSL python library.
Consequence: Large Serial numbers could not be parsed using the existing manual parser work-around for missing OpenSSL libs.
Fix: Manual parser updated to account for format of certificates with large serial numbers.
Result: Certificates with large serials on hosts missing the OpenSSL python library can now be parsed (such as during cert expiration checking or certificate redeployment).
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1464543 1464544 1464545 1464546 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-10 05:28:56 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1464543, 1464544, 1464545, 1464546 | |||
This bug will not be hit by all customers. Those most likely to run into this will be those using commercially purchased certificates on their master to issue certificates to other OCP components. Customers using the certificate redeploy role, who are also using commercial certificates are also more likely to run into this issue as the certificate redeploy role uses functionality from the cert expiration checking role to optimize/verify certificate redeploys. Referenced asn.1 library: https://pypi.python.org/pypi/asn1/2.1.0 Update, this is easier than anticipated. The serial is actually printing in HEX format. I have a PR almost ready to go for this. PR for master branch. Backports will follow shortly. https://github.com/openshift/openshift-ansible/pull/4573 Verify this bug with openshift-ansible-3.6.126.1-1.git.0.41d2313.el7.noarch
Generate a custom router cert issued by a self-signed CA cert, and the router cert should have a large serial number like:
[cucushift@dhcp-129-188 files]$ openssl x509 -in m01.example.com.crt -text
..
Serial Number:
0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:c2
Install a containerized ocp-3.4 cluster on Atomic Host, set local router certificate used in ansible inventory file
openshift_hosted_router_certificate={"certfile": "/files/m01.example.com.crt", "keyfile": "/files/m01.example.com.key", "cafile": "/files/rootCA.pem"}
After installation finished, run certificate expiry checker easy-mode playbook
ansible-playbook -i host_file /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml
The playbook works well without error.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716 |
Description of problem: Use of the openshift_cert_expiry role breaks on certificates with very large (more than 8 content (non-0x00) bytes) serial numbers. Typical certificates which would fall under this category are those issued by the main Trust Authorities (ex: DigiCert), as they will have issued very many certificates. Version-Release number of selected component (if applicable): OCP 3.2+ (earliest branch which contains the openshift_cert_expiry role) How reproducible: Can be reproduced on any certificate with a very large serial number, such as those issued by commercial Trust Authorities. Steps to Reproduce: 1. Install a commercially purchased certificate on your master as it's certificate authority certificate 2. Run the openshift_cert_expiry role against your cluster Actual results: Traceback (most recent call last): File "./cert-test.py", line 8, in <module> certobj = FakeOpenSSLCertificate(open(cert).read()) File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 100, in __init__ self._parse_cert() File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 121, in _parse_cert self.serial = int(l.split()[-2]) ValueError: invalid literal for int() with base 10: 'Serial' Expected results: The expiry role runs fine and generates a report in your desired format(s). Additional info: The cert_expiry role uses a custom cert parser on systems lacking the OpenSSL python library. Typically these are Atomic Host systems, but may not always be. The format of the serial when it exceeds the default decimal-format output limits is BER/DER encoding. For example: Serial Number: 0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:bf Python does not have a built in ASN.1 parsing library so decoding of the DER value will have to be added in manually. The current best idea I have for this is to vendor/copy the popular python-asn1 library