Bug 1673822
| Summary: | pcsd: SSL Certificate with Wrong Hostname | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Tomas Jelinek <tojeline> | ||||
| Component: | pcs | Assignee: | Tomas Jelinek <tojeline> | ||||
| Status: | CLOSED ERRATA | QA Contact: | cluster-qe <cluster-qe> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 8.0 | CC: | cfeist, cluster-maint, idevat, mlisik, mmazoure, omular, pzimek, tojeline | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 8.1 | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pcs-0.10.1-6.el8 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause:
When creating new cluster or adding a node to an existing cluster pcs synchronizes pcsd SSL certificates across the cluster.
Consequence:
CN in the certificate does not match node hostname which is reported as a security issue.
Fix:
Disable the synchronization by default. Provide new option PCSD_SSL_CERT_SYNC_ENABLED in /etc/sysconfig/pcsd to enable the synchronization if needed.
Result:
SSL certificate synchronization is disabled and thus the described security issue does not occur.
|
Story Points: | --- | ||||
| Clone Of: | 1665898 | Environment: | |||||
| Last Closed: | 2019-11-05 20:39:40 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1682129 | ||||||
| Bug Blocks: | 1693364 | ||||||
| Attachments: |
|
||||||
Created attachment 1548633 [details]
proposed fix + tests
Test:
* certificate sync is disabled by default
* add PCSD_SSL_CERT_SYNC_ENABLED=true to /etc/sysconfig/pcsd
* check that 'pcs cluster setup' and 'pcs cluster node add' do overwrite pcsd SSL certificate on target nodes
* remove, comment out or set PCSD_SSL_CERT_SYNC_ENABLED=false in /etc/sysconfig/pcsd
* check that in all cases 'pcs cluster setup' and 'pcs cluster node add' do not overwrite pcsd SSL certificate on target nodes
After fix: [root@rhel81-node1 ~]# rpm -q pcs pcs-0.10.1-6.el8.x86_64 [root@rhel81-node1 ~]# ssh rh81-1 -- rm -f /var/lib/pcsd/pcsd.crt /var/lib/pcsd/pcsd.key [root@rhel81-node1 ~]# ssh rh81-2 -- rm -f /var/lib/pcsd/pcsd.crt /var/lib/pcsd/pcsd.key [root@rhel81-node1 ~]# ssh rh81-1 -- systemctl restart pcsd [root@rhel81-node1 ~]# ssh rh81-2 -- systemctl restart pcsd [root@rhel81-node1 ~]# pcs cluster setup rhel-8.1-cluster rh81-1 rh81-2 No addresses specified for host 'rh81-1', using 'rh81-1' No addresses specified for host 'rh81-2', using 'rh81-2' Destroying cluster on hosts: 'rh81-1', 'rh81-2'... rh81-2: Successfully destroyed cluster rh81-1: Successfully destroyed cluster Requesting remove 'pcsd settings' from 'rh81-1', 'rh81-2' rh81-1: successful removal of the file 'pcsd settings' rh81-2: successful removal of the file 'pcsd settings' Sending 'corosync authkey', 'pacemaker authkey' to 'rh81-1', 'rh81-2' rh81-1: successful distribution of the file 'corosync authkey' rh81-1: successful distribution of the file 'pacemaker authkey' rh81-2: successful distribution of the file 'corosync authkey' rh81-2: successful distribution of the file 'pacemaker authkey' Sending 'corosync.conf' to 'rh81-1', 'rh81-2' rh81-1: successful distribution of the file 'corosync.conf' rh81-2: successful distribution of the file 'corosync.conf' Cluster has been successfully set up. [root@rhel81-node1 ~]# ssh rh81-1 -- sha1sum /var/lib/pcsd/pcsd.crt e868f8b684f67245651b188fe7b3562cbdfc1022 /var/lib/pcsd/pcsd.crt [root@rhel81-node1 ~]# ssh rh81-2 -- sha1sum /var/lib/pcsd/pcsd.crt 8bc61149631778ce9d9b98f063b6514a8760ed3d /var/lib/pcsd/pcsd.crt [root@rhel81-node1 ~]# ssh rh81-1 -- echo "PCSD_SSL_CERT_SYNC_ENABLED=true" >> /etc/sysconfig/pcsd [root@rhel81-node1 ~]# ssh rh81-2 -- echo "PCSD_SSL_CERT_SYNC_ENABLED=true" >> /etc/sysconfig/pcsd [root@rhel81-node1 ~]# ssh rh81-1 -- systemctl restart pcsd [root@rhel81-node1 ~]# ssh rh81-2 -- systemctl restart pcsd [root@rhel81-node1 ~]# pcs cluster destroy --all rh81-2: Stopping Cluster (pacemaker)... rh81-1: Stopping Cluster (pacemaker)... rh81-2: Successfully destroyed cluster rh81-1: Successfully destroyed cluster [root@rhel81-node1 ~]# pcs cluster setup rhel-8.1-cluster rh81-1 rh81-2 No addresses specified for host 'rh81-1', using 'rh81-1' No addresses specified for host 'rh81-2', using 'rh81-2' Destroying cluster on hosts: 'rh81-1', 'rh81-2'... rh81-1: Successfully destroyed cluster rh81-2: Successfully destroyed cluster Requesting remove 'pcsd settings' from 'rh81-1', 'rh81-2' rh81-1: successful removal of the file 'pcsd settings' rh81-2: successful removal of the file 'pcsd settings' Sending 'corosync authkey', 'pacemaker authkey' to 'rh81-1', 'rh81-2' rh81-1: successful distribution of the file 'corosync authkey' rh81-1: successful distribution of the file 'pacemaker authkey' rh81-2: successful distribution of the file 'corosync authkey' rh81-2: successful distribution of the file 'pacemaker authkey' Synchronizing pcsd SSL certificates on nodes 'rh81-1', 'rh81-2'... rh81-1: Success rh81-2: Success Sending 'corosync.conf' to 'rh81-1', 'rh81-2' rh81-1: successful distribution of the file 'corosync.conf' rh81-2: successful distribution of the file 'corosync.conf' Cluster has been successfully set up. [root@rhel81-node1 ~]# ssh rh81-1 -- sha1sum /var/lib/pcsd/pcsd.crt fc8097144ef8a5b2a09016f8710be35bf4119eb8 /var/lib/pcsd/pcsd.crt [root@rhel81-node1 ~]# ssh rh81-2 -- sha1sum /var/lib/pcsd/pcsd.crt fc8097144ef8a5b2a09016f8710be35bf4119eb8 /var/lib/pcsd/pcsd.crt Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:3311 |
> Our preliminary plan to resolve this is to regenerate pcsd certificate > during the synchronization and put names of all full stack nodes in it. > There would also be an option in /etc/sysconfig/pcsd config file which would > allow to 'disable', 'enable' or 'enable only for pcsd certificates (O and OU > equals to pcsd)' this SSL certification regeneration. If we implemented this, web browsers would complain each time the certificate changes. The whole point of synchronizing the certificates is to avoid such warnings. Therefore this is not a way to go. Instead, we will provide a configuration option in /etc/sysconfig/pcsd to disable certificates synchronization completely. This will resolve the original issue of CN not matching hostname. It will be up to the users to set their own certificates if they are not happy with the default ones.