Red Hat Bugzilla – Full Text Bug Listing
|Summary:||[apache] pinging a HTTPS URL fails if the certificate is not trusted by the JVM|
|Product:||[Other] RHQ Project||Reporter:||Lukas Krejci <lkrejci>|
|Component:||Plugins||Assignee:||RHQ Project Maintainer <rhq-maint>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Mike Foley <mfoley>|
|Version:||4.0.0||CC:||hrupp, jsanda, loleary, mazz, skondkar|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||769965 (view as bug list)||Environment:|
|Last Closed:||2013-09-02 03:17:55 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||678340, 753904|
Description Lukas Krejci 2011-03-24 07:08:28 EDT
Description of problem: When apache is configured with a self-signed certificate (or just one not trusted by default by the trustore of the JRE executing the RHQ agent) the availability check fails for the apache server resource or any of its virtual hosts if the URL to ping is using the HTTPS protocol. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Configure apache with a self-signed certificate (in the default fedora installation do the following: a) open /etc/httpd/conf.d/ssl.conf b) uncomment the "SSLCertificateKeyFile" directive c) uncomment the "SSLCACertificateFile" directive d) restart apache ) 2. inventory the apache in RHQ 3. change the "URL" property in the connection properties to https:/localhost:443 Actual results: the reported availability goes down Expected results: avail stays up Additional info:
Comment 1 Lukas Krejci 2011-03-24 07:13:37 EDT
It is possible to "switch off" the trust checking using code similar to http://www.exampledepot.com/egs/javax.net.ssl/trustall.html. We need to make sure that this behavior is configurable in the connection properties.
Comment 2 John Mazzitelli 2011-04-01 11:36:47 EDT
see if we can fix or at minimum document the workarounds somewhere
Comment 4 Larry O'Leary 2011-04-06 13:37:08 EDT
It appears that the proposed resolution to this bug is to add an option to disable SSL certificate validation completely and to trust all certificates. I think this is fine but we need to make sure that the option isn't misused by adding some kind of warning or documentation around the caution of using it. Additionally, I think we should approach this as two separate options. One to trust all certificates and another to validate the certificate but disable host name validation. This way, users who hit this issue just because the certificate was issued for a public IP but we are using a local IP to talk to Apache, we can more safely ignore the host name check validation issue.
Comment 5 John Sanda 2011-04-07 13:51:23 EDT
Pushed fix to master. commit: 7e3d9889259a68be7a1461df2ff1908dcc2b8f67 A property named disableCertificateVerification has been added to the Apache server and vhost resource types. It defaults to false/off. If you enable it, certificate validation is disabled during availability checks. This is done on a per-instance basis. In other words, any other components running in the plugin container that require/use certificate validation should remain unaffected.
Comment 6 Larry O'Leary 2011-04-08 11:41:45 EDT
For host name verification issue: Steps to Reproduce: 1. Configure apache with a self-signed certificate using the real host name as the common name (i.e. myhost.domain.com). The host name must be valid and resolvable by DNS. (in the default fedora installation do the following: a) open /etc/httpd/conf.d/ssl.conf b) uncomment the "SSLCertificateKeyFile" directive c) uncomment the "SSLCACertificateFile" directive d) restart apache ) 2. Install the self-signed public certificate in the JVM's cacerts: a) <JRE-path>/bin/keytool -import -keystore "<JRE_path>/lib/security/cacerts" -keypass changeit -alias apachecert -file "/tmp/key.cer" 3. inventory the apache in RHQ 4. change the "URL" property in the connection properties to https:/localhost:443 Actual results: the reported availability goes down Expected results: avail stays up The difference here is that if the correct host name is used (the one used in the certificate) all is well. The objective is to use an alternate host name (one not in the certificate) but still have everything be okay without the need to completely disregard the certificate.
Comment 7 John Sanda 2011-04-11 11:21:16 EDT
Removing the plugin configuration property that disables SSL cert validation for the URL used in availability checks. Cert validation is automatically disabled if the URL is HTTPS. commit hash: f969d77b1fde23911c544fff01768048cc76c02c
Comment 8 Sunil Kondkar 2011-07-21 08:15:07 EDT
Verified on build209 (Version: 4.1.0-SNAPSHOT Build Number: e7947ed) Followed the steps and verified that the availability of Apache server stays up. Marking as verified.
Comment 9 Heiko W. Rupp 2013-09-02 03:17:55 EDT
Bulk closing of issues that were VERIFIED, had no target release and where the status changed more than a year ago.