Bug 1884646

Summary: OVS IPsec using self-signed certificates on libreswan does not work
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Mark Gray <mark.d.gray>
Component: openvswitch2.13Assignee: Mark Gray <mark.d.gray>
Status: CLOSED ERRATA QA Contact: qding
Severity: medium Docs Contact:
Priority: unspecified    
Version: RHEL 8.0CC: atragler, ctrautma, jhsiao, pvauter, ralongi, tredaelli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch2.13-2.13.0-79.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-20 19:29:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Gray 2020-10-02 14:50:25 UTC 
Description of problem:

OVS IPsec functionality does not work with libreswan when using self-signed certificates. 

When configuring OVS to use self-signed certificates for IPsec encryption, "ovs-pki" sets the CN of the cert to the name specified as part of the ovs-pki command: `ovs-pki req -u <name>`. However, when the "ovs-monitor-ipsec" daemon loads certificates and keys into libreswan, it prefixes the cert nickname with "ovs_cert" and "ovs_certkey" respectively. Which can be seen by running the command:

`$ sudo certutil -d sql:/etc/ipsec.d -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ovs_certkey_host_2                                           u,u,u
ovs_cert_host_1                                              P,P,P
`

The causes libreswan to fail when it tries to establish a tunnel with an error of the type:

pluto[1790412]: Failed to add connection "tun-1" with invalid "left" certificate
pluto[1790412]: failed to find certificate named 'host_2' in the NSS database

How reproducible:

Always

Steps to Reproduce:

Follow the tutorial at https://docs.openvswitch.org/en/latest/tutorials/ipsec/ using the section "2: Using self-signed certificate:"

Actual results:

Traffic is not encrypted.

Expected results:

Traffic is encrypted.
Comment 1 Mark Gray 2020-12-21 13:39:18 UTC 
https://patchwork.ozlabs.org/project/openvswitch/patch/20201221114225.4150401-1-mark.d.gray@redhat.com/
Comment 2 Mark Gray 2021-02-22 09:08:54 UTC 
https://patchwork.ozlabs.org/project/openvswitch/patch/20201224125938.1485867-1-mark.d.gray@redhat.com/
Comment 3 Timothy Redaelli 2021-03-16 13:07:44 UTC 
openvswitch is openvswitch 2.9...
changing component to openvswitch2.13 (I also checked and it's already fixed on v2.15.0)
Comment 8 errata-xmlrpc 2021-05-20 19:29:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch2.13 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2083