Bug 752777

Summary: condor-aviary doesn't take openssl certificates
Product: Red Hat Enterprise MRG Reporter: Stanislav Graf <sgraf>
Component: condor-aviaryAssignee: Pete MacKinnon <pmackinn>
Status: CLOSED NOTABUG QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: DevelopmentCC: matt
Target Milestone: 2.1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-10 14:06:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stanislav Graf 2011-11-10 12:23:08 UTC 
Description of problem:
As was discussed in bug 752414 - certificates generated by certutil and openssl need to be manually reformated to be able to use with condor-aviary. Both formats (server cert first or cacert first in serv.pem) are OK for openssl.

Btw. the same problem has cumin.

When we try to verify those certificates before manual change (aviary doesn't like):
# openssl verify -CAfile                    ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:15:43] ecode=0
# openssl verify -purpose sslclient -CAfile ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:15:49] ecode=0
# openssl verify -purpose sslserver -CAfile ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:15:54] ecode=0
# openssl verify -purpose any       -CAfile ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:16:02] ecode=0

and after change (aviary likes):
# openssl verify -CAfile                    ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:13:35] ecode=0
# openssl verify -purpose sslclient -CAfile ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:13:44] ecode=0
# openssl verify -purpose sslserver -CAfile ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:13:53] ecode=0
# openssl verify -purpose any       -CAfile ./ca.pem serv.pem client.pem
serv.pem: OK
client.pem: OK
[12:14:02] ecode=0

Version-Release number of selected component (if applicable):
cumin-0.1.5098-1
condor-7.6.5-0.6
condor-aviary-7.6.5-0.6

How reproducible:
100%

Steps to Reproduce:
see bug 752414 

Actual results:
Generated certificates need manual change

Expected results:
Certificates works withou manual change

Additional info:
Comment 1 Pete MacKinnon 2011-11-10 14:00:59 UTC 
The failures without the change occur in the openssl API, not aviary.
Comment 2 Pete MacKinnon 2011-11-10 14:06:37 UTC 
"SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object."