Bug 1758373

Summary: EXTENDED_VALIDATION doesn't capture certificate / key mismatch, causing the router to misbehave [4.2]
Product: OpenShift Container Platform Reporter: Miciah Dashiel Butler Masters <mmasters>
Component: RoutingAssignee: Dan Mace <dmace>
Status: CLOSED ERRATA QA Contact: Hongan Li <hongli>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.9.0CC: aos-bugs, dmace, hongli, sreber
Target Milestone: ---   
Target Release: 4.2.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1723400 Environment:
Last Closed: 2019-11-13 18:55:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1723400, 1794487    
Bug Blocks: 1758374    

Description Miciah Dashiel Butler Masters 2019-10-03 23:48:11 UTC
+++ This bug was initially created as a clone of Bug #1723400 +++

Description of problem:

Even though the EXTENDED_VALIDATION is set to true, adding a certificate to a specific `route` with the wrong key will cause the `router` to fail during re-load which can impact production services as changes within the service are not properly reflected.

With EXTENDED_VALIDATION on, it's expected to decline such route from being created and prevent the `router` from failing.

Version-Release number of selected component (if applicable):

> oc v3.9.74
> kubernetes v1.9.1+a0ce1bc657
> features: Basic-Auth GSSAPI Kerberos SPNEGO
> 
> Server https://openshift.example.com:443
> openshift v3.9.74
> kubernetes v1.9.1+a0ce1bc657

How reproducible:
Always


Steps to Reproduce:
1. Make sure EXTENDED_VALIDATION is set to `true` on the `router`
2. Create a route with Edge termination set and apply a custom certificate.
3. Add a wrong key for the certificate (not matching) and create the route

Actual results:

`router` is failing to reload and thus apply changes within it's configuration. Error reported by `router` is as following.

E0620 09:53:43.202882       1 limiter.go:137] error reloading router: exit status 1
[ALERT] 170/095343 (13510) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL private key from PEM file '/var/lib/haproxy/router/certs/example-route:wildcard.pem'.
[ALERT] 170/095343 (13510) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 170/095343 (13510) : Fatal errors found in configuration.
E0620 09:54:08.868115       1 limiter.go:137] error reloading router: exit status 1
[ALERT] 170/095408 (13581) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL private key from PEM file '/var/lib/haproxy/router/certs/example-route:wildcard.pem'.
[ALERT] 170/095408 (13581) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 170/095408 (13581) : Fatal errors found in configuration.

Expected results:

`router` to reject the `route` in order to continue to function properly and simply notify the creator of the `route` that it was not possible to create the `route` due to validation error.

Additional info:

Comment 2 Hongan Li 2019-10-28 11:52:16 UTC
verified with 4.2.0-0.nightly-2019-10-27-140004 and passed

Comment 4 errata-xmlrpc 2019-11-13 18:55:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3303