Bug 1548154

Summary: Provide external hostname for Elasticsearch server cert
Product: OpenShift Container Platform Reporter: Rich Megginson <rmeggins>
Component: LoggingAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, jcantril, pportant, rmeggins, sradco
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The Elasticsearch server TLS certificate does not have an external hostname in the subject alt. name list. Consequence: Clients accessing Elasticsearch externally cannot turn on MITM server cert. validation. Fix: When configuring Elasticsearch to allow external access, add the external hostname in the subject alt. name list. Result: TLS clients can turn on server cert. validation.
 Story Points: ---
Clone Of:
: 1554878 (view as bug list) Environment:
Last Closed: 2018-07-30 19:09:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1507407, 1554878    

Description Rich Megginson 2018-02-22 20:52:31 UTC 
Description of problem:
oVirt/RHV currently use a direct Fluentd to Elasticsearch connection using client cert auth (so cannot use a reencrypt route).  Fluentd has to disable ssl verify because the Elasticsearch server cert hostname in the subjectDN and subjectAltName are the internal cluster hostname(s) and not externally resolveable.

We need the ability to add an external hostname to be used in the Elasticsearch SSL server cert for the subjectDN or subjectAltName.

Severity high because this is security related.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Rich Megginson 2018-03-13 14:06:41 UTC 
(In reply to Shirly Radco from comment #1)
> Can you target this to 3.9?

It is too late for 3.9.0.  I'm keeping this bug for 3.10, and I've cloned a new bug for 3.9.1
Comment 3 Rich Megginson 2018-04-12 01:40:54 UTC 
How to test:

deploy logging with ansible setting these parameters

openshift_logging_es_allow_external=True
openshift_logging_es_hostname=es.openshift.public.hostname

if deploying the ops cluster, add these

openshift_logging_es_allow_external=True
openshift_logging_es_hostname=es.openshift.public.hostname

After logging is deployed, do this:

oc project logging

oc get endpoints
logging-es                  10.128.0.26:9200    28m
logging-es-ops              10.128.0.27:9200    28m

openssl s_client -connect 10.128.0.26:9200 -showcerts > es
Use Ctrl-C to exit out of s_client

openssl s_client -connect 10.128.0.27:9200 -showcerts > es-ops
Use Ctrl-C to exit out of s_client

For the files es and es-ops - edit the files - you want to remove everything before the first line that begins with
-----BEGIN CERTIFICATE-----
and remove everything after the first line that begins with
-----END CERTIFICATE-----

That is, after you are finished, the file should contain something like this:
-----BEGIN CERTIFICATE-----
MIIC2jCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNsb2dn
...
9xBULophhdigIpspVX8=
-----END CERTIFICATE-----

next

openssl x509 -in es -text | less

if you scroll down you should see something like this:

            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:127.0.0.1, DNS:logging-es, DNS:logging-es.logging.svc.cluster.local, DNS:logging-es-clust
er, DNS:logging-es-cluster.logging.svc.cluster.local, DNS:logging-es-ops, DNS:logging-es-ops.logging.svc.cluster.local, DNS:logging
-es-ops-cluster, DNS:logging-es-ops-cluster.logging.svc.cluster.local, DNS:es.openshift.public.hostname, DNS:es-ops.openshift.public.hostname

repeat for es-ops if using the ops cluster
Comment 4 Rich Megginson 2018-04-30 14:19:32 UTC 
https://github.com/openshift/openshift-ansible/pull/7931
Comment 5 Anping Li 2018-05-08 10:18:33 UTC 
Verified with ose-ansible:v3.10.0-0.37.0.0

Note that if the elasticsearch name include '-' , It couldn't be added to Alt name. 
You may get the following message:
       Elasticsearch external hostname es.apps.0506-txp.qe.rhcloud.com contains invalid characters for certificate subject Alt Name.  Not adding to Elasticsearch certificate.
Comment 6 Rich Megginson 2018-05-08 14:06:26 UTC 
(In reply to Anping Li from comment #5)
> Verified with ose-ansible:v3.10.0-0.37.0.0
> 
> Note that if the elasticsearch name include '-' , It couldn't be added to
> Alt name. 

No.

The problem is that a hostname component begins with a digit.  In this case, the problem is ".0506".

> You may get the following message:
>        Elasticsearch external hostname es.apps.0506-txp.qe.rhcloud.com
> contains invalid characters for certificate subject Alt Name.  Not adding to
> Elasticsearch certificate.
Comment 8 errata-xmlrpc 2018-07-30 19:09:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816