Bug 1464240
Summary: | openshift_cert_expiry Can not parse certs with DER encoded Serial Numbers | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Tim Bielawa <tbielawa> | |
Component: | Installer | Assignee: | Tim Bielawa <tbielawa> | |
Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 3.6.0 | CC: | aos-bugs, jokerman, mmccomas | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: Hosts missing OpenSSL python library.
Consequence: Large Serial numbers could not be parsed using the existing manual parser work-around for missing OpenSSL libs.
Fix: Manual parser updated to account for format of certificates with large serial numbers.
Result: Certificates with large serials on hosts missing the OpenSSL python library can now be parsed (such as during cert expiration checking or certificate redeployment).
|
Story Points: | --- | |
Clone Of: | ||||
: | 1464543 1464544 1464545 1464546 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-10 05:28:56 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1464543, 1464544, 1464545, 1464546 |
Description
Tim Bielawa
2017-06-22 18:49:35 UTC
This bug will not be hit by all customers. Those most likely to run into this will be those using commercially purchased certificates on their master to issue certificates to other OCP components. Customers using the certificate redeploy role, who are also using commercial certificates are also more likely to run into this issue as the certificate redeploy role uses functionality from the cert expiration checking role to optimize/verify certificate redeploys. Referenced asn.1 library: https://pypi.python.org/pypi/asn1/2.1.0 Update, this is easier than anticipated. The serial is actually printing in HEX format. I have a PR almost ready to go for this. PR for master branch. Backports will follow shortly. https://github.com/openshift/openshift-ansible/pull/4573 Verify this bug with openshift-ansible-3.6.126.1-1.git.0.41d2313.el7.noarch Generate a custom router cert issued by a self-signed CA cert, and the router cert should have a large serial number like: [cucushift@dhcp-129-188 files]$ openssl x509 -in m01.example.com.crt -text .. Serial Number: 0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:c2 Install a containerized ocp-3.4 cluster on Atomic Host, set local router certificate used in ansible inventory file openshift_hosted_router_certificate={"certfile": "/files/m01.example.com.crt", "keyfile": "/files/m01.example.com.key", "cafile": "/files/rootCA.pem"} After installation finished, run certificate expiry checker easy-mode playbook ansible-playbook -i host_file /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml The playbook works well without error. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716 |