Bug 1752110

Summary: Enhance Octavia error message when PKCS12 is encrypted with key
Product: Red Hat OpenStack Reporter: Andreas Karis <akaris>
Component: openstack-octaviaAssignee: Michael Johnson <michjohn>
Status: CLOSED ERRATA QA Contact: Bruna Bonguardo <bbonguar>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: bhaley, cgoncalves, ihrachys, lpeer, majopela, scohen
Target Milestone: z11Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-octavia-2.1.2-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-10 11:26:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andreas Karis 2019-09-13 17:26:13 UTC 
Description of problem:

Enhance Octavia error message when PKCS12 is encrypted with key. Octavia should be enhanced to provide a better error code when the pkcs12 bundle does not pass validation or is unreadable.

Internal link with more details: [http://post-office.corp.redhat.com/archives/rhos-tech/2019-September/msg00206.html](http://post-office.corp.redhat.com/archives/rhos-tech/2019-September/msg00206.html)

Additional info:

This point is IMO already covered in https://bugzilla.redhat.com/show_bug.cgi?id=1712448#c8 , https://storyboard.openstack.org/#!/story/2005925, https://review.opendev.org/#/c/667200/
~~~
Validate certificate content at API level

Starting from Rocky, certificates are loaded still at API level when
converting objects to provider data models. The act of loading the
certificate provides validation as to its content. For example, it
checks if a value in the Common Name field is set. When the content is
passed in on create and update actions via reference, it is checked at
API level. If it's invalid, it fails right there and an error is
returned to the user.

Although, certificate content is not checked at API level in Queens.
Should an invalid certificate be passed in, the API accepts but it will
later fail at provisioning -- the listener and loadbalancer go into
ERROR. The problem starts when the health manager runs the periodic
update health check. It calculates the expected number of listeners and
sees the listener in ERROR. In an attempt to heal it, an amphora
failover is triggered. As it runs the failover, it tries, again, to load
up the invalid certificate. Amphora failover goes on in a loop.

This patch is a Queens-only patch.
~~~

But I would like to make sure that this is the case.
Comment 6 errata-xmlrpc 2020-03-10 11:26:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0770