Bug 1668970
| Summary: | Router does not properly concatenate certificates generated by Red Hat IdM due to missing nonprintable ('\n') | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Brian J. Beaudoin <bbeaudoi> |
| Component: | Installer | Assignee: | Scott Dodson <sdodson> |
| Installer sub component: | openshift-ansible | QA Contact: | Gaoyun Pei <gpei> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | low | ||
| Priority: | unspecified | CC: | bbeaudoi, gpei |
| Version: | 3.11.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 3.11.z | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
If the specified router certificate, key, or CA did not end with a new line character the router deployment would fail. A new line is now appended to each of the input files ensuring this problem doesn't occur.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-02-20 14:11:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Change has merged to release-3.11 branch, can you validate that resolves the issue with the problematic inputs you were using? Works as expected. Ran the playbook ensuring the secret was replaced, the contents were valid, and the router deployed properly. In openshift-ansible-3.11.75-1, why didn't this got ON_QA when the new tag was cut? Could reproduce this issue with openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch
1. Prepare a custom router cert file which doesn't have line break in the bottom line.
[root@gpei-preserve-ansible-slave host]# cat -e /path/to/custom_router_1_no_end_linebreak.crt
-----BEGIN CERTIFICATE-----$
MIIDQjCCAioCCQDnQLeTFb3pAjANBgkqhkiG9w0BAQUFADBrMQswCQYDVQQGEwJY$
...
/QTdf8gk3AiClnpJsM3bnuIy2lqzY7mebky//JBz9M3RwCfKDz7EJuZ12mqu8p+S$
xfqh3NbO4g355/CppBlIX3BjwLtcbg==$
-----END CERTIFICATE-----[root@gpei-preserve-ansible-slave host]#
2. Set the custom router cert and key in inventory file
openshift_hosted_router_certificate={"certfile": "/path/to/custom_router_1_no_end_linebreak.crt", "keyfile": "/path/to/custom_router_1.key", "cafile": "/path/to/custom_router_1_rootca.crt"}
3. Run redeploy-router-certificates.yml playbook against a 3.11 cluster
TASK [openshift_hosted : Create OpenShift router] **********************************************************************************************************************************************************
failed: [host-8-245-45.host.centralci.eng.rdu2.redhat.com] ...
"module_stderr": "Shared connection to host-8-245-45.host.centralci.eng.rdu2.redhat.com closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible/ansible-tmp-1548767802.39-160700364467405/AnsiballZ_oc_adm_router.py\", line 113, in <module>\r\n _ansiballz_main()\r\n File \"/tmp/ansible/ansible-tmp-1548767802.39-160700364467405/AnsiballZ_oc_adm_router.py\", line 105, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/tmp/ansible/ansible-tmp-1548767802.39-160700364467405/AnsiballZ_oc_adm_router.py\", line 48, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_oc_adm_router_payload_S2pU6a/__main__.py\", line 3252, in <module>\r\n File \"/tmp/ansible_oc_adm_router_payload_S2pU6a/__main__.py\", line 3243, in main\r\n File \"/tmp/ansible_oc_adm_router_payload_S2pU6a/__main__.py\", line 3172, in run_ansible\r\n File \"/tmp/ansible_oc_adm_router_payload_S2pU6a/__main__.py\", line 3010, in needs_update\r\n File \"/tmp/ansible_oc_adm_router_payload_S2pU6a/__main__.py\", line 2729, in prepared_router\r\n__main__.RouterException: Could not perform router preparation: error: router could not be created: the default cert must contain a private key\r\n\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
With openshift-ansible-3.11.75-1.git.0.95e8e2a.el7.noarch, the redeploy-router-certificates.yml playbook could be finished without such error.
router-certs secret was updated to use the new provided cert and key, router pod was running well after redeployment.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0326 |
Description of problem: When using a certificate (cert.pem) downloaded from Red Hat IdM, the router deployment and redeploy-router-certificates.yml playbooks, an error is generated stating the certificate and key must be in the same file due to a missing '\n' at the end of the file. Version-Release number of the following components: $ rpm -q openshift-ansible openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch $ rpm -q ansible ansible-2.6.11-1.el7ae.noarch $ ansible --version ansible 2.6.11 config file = /home/bbeaudoin/.ansible.cfg configured module search path = [u'/home/bbeaudoin/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] How reproducible: Steps to Reproduce: 1. Generate a certificate using Red Hat IdM (or any other tool) without a '\n' after -----END CERTIFICATE----- 2. Run the installation or use the redeploy-router-certificates.yml playbook Actual results: __main__.RouterException: Could not perform router preparation: error: router could not be created: the default cert must contain a private key Expected results: Safe concatenation of files that may be generated (rather than cut-and-pasted) that appear to be correct with exception of a missing nonprintable character. Additional info: Concatenation resulted in a temporary file that contained this string in the middle: -----END CERTIFICATE----------BEGIN PRIVATE KEY----- As the error suggested the certificate and key should have been concatenated before running the playbook, the missing nonprintable character may not be obvious if the file is not closely inspected. Examining the certificate using `openssl x509` or other certificate utilities show a valid certificate file. Opening in a text editor does not reveal an issue due to the missing character being nonprintable. If the files are concatenated by the user (in response to the error) before running the playbook without fixing the error, the playbooks will happily write or replace the router certificates (as the private key now exists in the concatenated file due to double-concatenation) but despite the playbook running to completion without error the router deployment will fail. Traceback (most recent call last): File \"/tmp/ansible_fCMFq7/ansible_module_oc_adm_router.py\", line 3252, in <module> main() File \"/tmp/ansible_fCMFq7/ansible_module_oc_adm_router.py\", line 3243, in main results = Router.run_ansible(module.params, module.check_mode) File \"/tmp/ansible_fCMFq7/ansible_module_oc_adm_router.py\", line 3172, in run_ansible if not ocrouter.needs_update(): File \"/tmp/ansible_fCMFq7/ansible_module_oc_adm_router.py\", line 3010, in needs_update not Utils.check_def_equal(self.prepared_router['ServiceAccount']['obj'].yaml_dict, File \"/tmp/ansible_fCMFq7/ansible_module_oc_adm_router.py\", line 2729, in prepared_router raise RouterException('Could not perform router preparation: %s' % results['stderr']) __main__.RouterException: Could not perform router preparation: error: router could not be created: the default cert must contain a private key