Bug 1485498

Summary: Certificate errors for Chrome 60 and Firefox 52.3.0 on Mac OS
Product: Red Hat OpenStack Reporter: Anandeep Pannu <apannu>
Component: openstack-tripleo-uiAssignee: Harry Rybacki <hrybacki>
Status: CLOSED DUPLICATE QA Contact: Ola Pavlenko <opavlenk>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: beth.white, dtrainor, jjoyce, josorior, jpichon, jrist, jschluet, slinaber, tvignaud
Target Milestone: ---   
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Mac OS   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-03 14:17:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Firefox "secure connection failed" snapshot
none
Chrome "Your connection is not secure" screenshot none

Description Anandeep Pannu 2017-08-25 21:33:25 UTC 
Created attachment 1318341 [details]
Firefox "secure connection failed" snapshot

Description of problem:
Get the error 

Version-Release number of selected component (if applicable):
OSP 10, 11, 12 

How reproducible:


Use a browser on Mac OS X El Capitan (10.11.6) 

Browsers used were 
(1) Chrome 54.0.2840.98 (64-bit)
(2) Firefox 52.3.0 Firefox Extended Support Release ESR

Try to open URL for undercloud install 

Steps to Reproduce:
1.
2.
3.

Actual results:
See attachments below from Chrome and Firefox - with certificate error messages 


Expected results:


Additional info:
Comment 1 Anandeep Pannu 2017-08-25 21:35:17 UTC 
Created attachment 1318344 [details]
Chrome "Your connection is not secure" screenshot
Comment 2 Anandeep Pannu 2017-08-25 21:38:14 UTC 
From dtrainor

"I was looking at the SSL certificate used[0] and it doesn't have a Subject Alternative Name for the system, which I understand Chrome on OSX now requires.  That's what is going to prevent this from working.  As it is right now, however, it does work on other browsers on other platforms - for example, I have no problems with this using Chrome 60 on Fedora - weird.

When you open a bug, you can reference this link[1] for more information.  

We need to add an additional value (the VIP, or 8.43.87.242), to the SubjectAltName value of the certificate.  This needs to happen automatically as part of the Undercloud install.  Since the Undercloud won't know what this IP should be, it probably needs to be specified as an install-time parameter, perhaps in the undercloud.conf file prior to 'openstack undercloud install'.  
"

---

[0] http://paste.openstack.org/show/619087/
[1] https://www.thesslstore.com/blog/security-changes-in-chrome-58/
Comment 5 Juan Antonio Osorio 2017-09-26 11:21:35 UTC 
Well, the autogenerated certificate has been using a subjectaltname for a while. Checking it, it seems to be in OSP10 as well. What is this error reported for? the undercloud or the overcloud?

If it's the overcloud, we do expect folks to generate their own certificates; perhaps what should be fixed is the documentation where it gives an example of how to generate a certificate, and we should include setting up a SubjectAltName there.
Comment 6 Juan Antonio Osorio 2017-09-26 11:24:03 UTC 
Uhm... If it's the undercloud, I think it might be related to this bug https://bugzilla.redhat.com/show_bug.cgi?id=1445580
Comment 8 Anandeep Pannu 2017-09-29 16:10:42 UTC 
The error occurred in the undercloud
Comment 9 Harry Rybacki 2017-10-03 14:17:21 UTC 
Closing this as a duplicate or RHBZ#1445580[1].

[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1445580

*** This bug has been marked as a duplicate of bug 1445580 ***