Bug 1729511
Summary: | engine-setup fails to upgrade to 4.3 with Unicode characters in CA subject | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Juan Orti <jortialc> | |
Component: | ovirt-engine | Assignee: | Yedidyah Bar David <didi> | |
Status: | CLOSED ERRATA | QA Contact: | Petr Matyáš <pmatyas> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.3.0 | CC: | didi, emarcus, lleistne, mtessun, stirabos | |
Target Milestone: | ovirt-4.4.0 | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
During installation or upgrade to Red Had Virtualization 4.3, engine-setup failed if the PKI Organization Name in the CA certificate included non-ASCII characters.
In this release, the upgrade engine-setup process completes successfully.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1733438 (view as bug list) | Environment: | ||
Last Closed: | 2020-08-04 13:19:49 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1733438 |
Description
Juan Orti
2019-07-12 12:50:32 UTC
(In reply to Juan Orti Alcaine from comment #0) > Steps to Reproduce: > 1. Install 4.1 or older engine with a CA subject with unicode characters > 2. Upgrade to 4.3 > > Actual results: > The upgrade process fail with the mentioned error. The upgrade to 4.2 has > also been tested with similar errors. > > Expected results: > The engine-setup process should identify this CA subject as invalid and do > the renewal automatically. Not sure what you mean here. If it's invalid, perhaps we should prevent upgrade? Please explain what you want. I'll try to reproduce and check logs later on, then might have better insights. Worst case, we might have to recreate all PKI with new certs and a new organization name. For other cases of invalid certificates, engine-setup asks to renew them: https://access.redhat.com/solutions/1572983 I was speaking with Miguel Martín, and in theory, the X520OrganizationName field can be a utf8String, so maybe it's a problem with the SSL library that should accept those certificates. https://tools.ietf.org/html/rfc5280#appendix-A So, if we refuse to accept UTF-8 strings, ideally all the PKI should be recreated and the hosts re-enrolled. If not, the necessary changes should be done to accept the certificates. Now reproduced also on clean setup - exactly the same failure happens, during postinstall generation, when supplying a unicode organization. And the failure is in python code, unrelated to openssl or anything like that. I wonder how it was created so originally... OK, found the reason. It was broken only on otopi-1.8 (oVirt/RHV 4.3), due to this patch: https://gerrit.ovirt.org/92435 I think the patch is correct in principle, and will probably need to patch the code generating postinstall to pass binary data. Should I open a different bug for libvirtd not starting with that CA cert? (In reply to Juan Orti Alcaine from comment #6) > Should I open a different bug for libvirtd not starting with that CA cert? Probably, but I am still not sure what the exact problem was. The specific error in comment 0 is unrelated to ssl or any 3rd-party library - it's all due to oVirt code. Once we fix that, we can try to reproduce the libvirt error. Or, you can try to reproduce with an 4.2 engine (I didn't try). If you do reproduce, and indeed upgrading a host (where the engine is still 4.2) fails as noted, please open a bug. Thanks. Hi Didi - here is the updated Doc Text, please review: During upgrade to Red Had Virtualization 4.3, engine-setup failed if the PKI Organization Name in the CA certificate included non-ASCII characters. In this release, the upgrade engine-setup process completes successfully. (In reply to Eli Marcus from comment #10) > Hi Didi - here is the updated Doc Text, please review: > > During upgrade to Red Had Virtualization 4.3, engine-setup failed if the PKI > Organization Name in the CA certificate included non-ASCII characters. > In this release, the upgrade engine-setup process completes successfully. AFAIR it wasn't specific to upgrade - I think I reproduced this failure also on new setups. Otherwise, it's ok. (In reply to Yedidyah Bar David from comment #11) > (In reply to Eli Marcus from comment #10) > > Hi Didi - here is the updated Doc Text, please review: > > > > During upgrade to Red Had Virtualization 4.3, engine-setup failed if the PKI > > Organization Name in the CA certificate included non-ASCII characters. > > In this release, the upgrade engine-setup process completes successfully. > > AFAIR it wasn't specific to upgrade - I think I reproduced this failure also > on new setups. Otherwise, it's ok. OK, I modified the text: "During installation or upgrade to Red Had Virtualization 4.3, engine-setup failed if the PKI Organization Name in the CA certificate included non-ASCII characters. In this release, the upgrade engine-setup process completes successfully." Verified on ovirt-engine-4.4.0-0.5.master.el7.noarch WARN: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops WARN: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops WARN: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops WARN: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops WARN: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Found non-acked flags: '{}', ] For more info please contact: rhv-devops Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3247 |