Bug 970805
Summary: | httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" warning | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Miciah Dashiel Butler Masters <mmasters> | |
Component: | Node | Assignee: | Jason DeTiberus <jdetiber> | |
Status: | CLOSED ERRATA | QA Contact: | libra bugs <libra-bugs> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 1.2.0 | CC: | adietish, bleanhar, gpei, jdetiber, jpazdziora, libra-onpremise-devel, lmeyer, pruan, tschan+redhat | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: As documented and scripted, httpd ServerName was left as "localhost" and the SSL certificate created on node/broker hosts was invalid. Separately, Java 7 HTTPS clients refuse connections when certain related warnings are given by a server.
Consequence:
Access by Java 7-based clients (e.g. JBoss Developer Tools) to the broker would fail, as well as Java 7 client access to apps.
Fix:
Documentation and example install scripts were modified to indicate setting the ServerName and creating correct certificates.
Result:
This problem should not occur if the documentation or scripts are followed.
|
Story Points: | --- | |
Clone Of: | ||||
: | 973219 (view as bug list) | Environment: | ||
Last Closed: | 2013-07-09 19:50:35 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 957117, 973219 |
Description
Miciah Dashiel Butler Masters
2013-06-04 23:33:10 UTC
Should we fix this with a combination of documentation and an oo-accept-broker check? I would suggest documentation, oo-accept-broker, and the installation scripts in openshift-extras as well. Krishna's Puppet module for Origin already sets ServerName: https://github.com/openshift/puppet-openshift_origin/blob/master/templates/broker/broker_servername.conf.erb Pull request to update install scripts to set ServerName to the hostname for broker and nodes. https://github.com/openshift/openshift-extras/pull/29 It's pretty hard to check in oo-accept-broker that the ServerName is *correct*. We could pretty easily check that it's not the default localhost, though. Updates to oo-diagnostics: https://github.com/openshift/origin-server/pull/2810 Updates to install script: https://github.com/openshift/openshift-extras/pull/29 Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/6dc5503401a78a337c11f71c560d663ed27bca59 <oo-diagnostics> Bug 970805 - Add check for broker SSL cert https://bugzilla.redhat.com/show_bug.cgi?id=970805 Add a test for verifying that the broker SSL cert is valid and that ServerName matches the certificate Common Name Finally, enterprise updates: https://github.com/openshift/enterprise-server/pull/78 Andre Dietisheim <adietish> made a comment on jira JBIDE-14760 Moving this WATCHER to 4.1.x since the root issue in OpenShift Enterprise is fixed but not published/released yet. We keep watching it and will resolve it once we can test against a fixed instance. Verify this on puddle: http://buildvm-devops.usersys.redhat.com/puddle/build/OpenShiftEnterprise/1.2/2013-06-12.3/ After setting up OSE env, check the ServerName of broker and nodes: [root@broker conf.d]# cat 000002_openshift_origin_broker_servername.conf |grep ServerName # a consistent default ServerName broker.osevvv.com ServerName broker.osevvv.com [root@node conf.d]# cat 000001_openshift_origin_node_servername.conf|grep ServerName # a consistent default ServerName node.osevvv.com ServerName node.osevvv.com Both of them are correct. Use oo-diagnostics to verify the broker SSL cert is valid, no error throw out. [root@broker conf.d]# oo-diagnostics -v INFO: loading list of installed packages INFO: OpenShift broker installed. ... INFO: running: test_broker_certificate NO ERRORS Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1031.html |