Bug 1464546

Summary: [3.2] openshift_cert_expiry Can not parse certs with DER encoded Serial Numbers
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: InstallerAssignee: Tim Bielawa <tbielawa>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: high Docs Contact:
Priority: high    
Version: 3.2.1CC: aos-bugs, jialiu, jokerman, mmccomas, tbielawa
Target Milestone: ---   
Target Release: 3.2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Hosts missing OpenSSL python library. Consequence: Large Serial numbers could not be parsed using the existing manual parser work-around for missing OpenSSL libs. Fix: Manual parser updated to account for format of certificates with large serial numbers. Result: Certificates with large serials on hosts missing the OpenSSL python library can now be parsed (such as during cert expiration checking or certificate redeployment).
 Story Points: ---
Clone Of: 1464240 Environment:
Last Closed: 2017-06-29 13:34:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1464240    
Bug Blocks: 1464543, 1464544, 1464545    

Description Scott Dodson 2017-06-23 17:58:53 UTC 
+++ This bug was initially created as a clone of Bug #1464240 +++

Description of problem:

Use of the openshift_cert_expiry role breaks on certificates with very large (more than 8 content (non-0x00) bytes) serial numbers.

Typical certificates which would fall under this category are those issued by the main Trust Authorities (ex: DigiCert), as they will have issued very many certificates.


Version-Release number of selected component (if applicable):

OCP 3.2+ (earliest branch which contains the openshift_cert_expiry role)


How reproducible:
Can be reproduced on any certificate with a very large serial number, such as those issued by commercial Trust Authorities.


Steps to Reproduce:
1. Install a commercially purchased certificate on your master as it's certificate authority certificate
2. Run the openshift_cert_expiry role against your cluster

Actual results:

Traceback (most recent call last):
  File "./cert-test.py", line 8, in <module>
    certobj = FakeOpenSSLCertificate(open(cert).read())
  File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 100, in __init__
    self._parse_cert()
  File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 121, in _parse_cert
    self.serial = int(l.split()[-2])
ValueError: invalid literal for int() with base 10: 'Serial'

Expected results:

The expiry role runs fine and generates a report in your desired format(s).

Additional info:

The cert_expiry role uses a custom cert parser on systems lacking the OpenSSL python library. Typically these are Atomic Host systems, but may not always be.


The format of the serial when it exceeds the default decimal-format output limits is BER/DER encoding. For example:

    Serial Number:
        0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:bf

Python does not have a built in ASN.1 parsing library so decoding of the DER value will have to be added in manually. The current best idea I have for this is to vendor/copy the popular python-asn1 library

--- Additional comment from Tim Bielawa on 2017-06-22 14:51:59 EDT ---

This bug will not be hit by all customers. Those most likely to run into this will be those using commercially purchased certificates on their master to issue certificates to other OCP components.

Customers using the certificate redeploy role, who are also using commercial certificates are also more likely to run into this issue as the certificate redeploy role uses functionality from the cert expiration checking role to optimize/verify certificate redeploys.

--- Additional comment from Tim Bielawa on 2017-06-22 14:54:19 EDT ---

Referenced asn.1 library: https://pypi.python.org/pypi/asn1/2.1.0

--- Additional comment from Tim Bielawa on 2017-06-23 11:17:23 EDT ---

Update, this is easier than anticipated. The serial is actually printing in HEX format. I have a PR almost ready to go for this.

--- Additional comment from Tim Bielawa on 2017-06-23 11:29:50 EDT ---

PR for master branch. Backports will follow shortly.

https://github.com/openshift/openshift-ansible/pull/4573
Comment 1 Scott Dodson 2017-06-23 18:01:26 UTC 
https://github.com/openshift/openshift-ansible/issues/4574
Comment 3 Gaoyun Pei 2017-06-28 09:34:17 UTC 
Verify this bug with openshift-ansible-3.2.61-1.git.0.4bf0fd2.el7

Generate a custom router cert issued by a self-signed CA cert, and the router cert should have a large serial number like:
[cucushift@dhcp-129-188 files]$ openssl x509 -in m01.example.com.crt -text
..
        Serial Number:
            0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:c2

Install a containerized ocp-3.2 cluster on Atomic Host, set local router certificate used in ansible inventory file 
openshift_hosted_router_certificate={"certfile": "/files/m01.example.com.crt", "keyfile": "/files/m01.example.com.key", "cafile": "/files/rootCA.pem"}

After installation finished, run certificate expiry checker easy-mode playbook
ansible-playbook -i host_file /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml
The playbook works well without error.
Comment 5 errata-xmlrpc 2017-06-29 13:34:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1666