Bug 985952

Summary: unknown issuer or CA when adding ssl cert to openshift online
Product: OpenShift Online Reporter: Nick Harvey <niharvey>
Component: WebsiteAssignee: Fabiano Franz <ffranz>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.xCC: ffranz, yujzhang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-07 22:55:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nick Harvey 2013-07-18 15:04:51 UTC 
Description of problem:
After purchasing and installing a UCC SSL certificate from GoDaddy and installing the cert, bundle and key into the alias configuration, an SSL connection is possible , but the bundle/chain doesnt appear to be installed correctly. All tools used to validate report an unknown issuer or CA, due to lack of a valid intermediate chain certificate.

Version-Release number of selected component (if applicable):


How reproducible: always



Steps to Reproduce:
1. Go to add a custom SSL cert
2. Fill out the form / upload the files
3. Test connection

Actual results:
SSL Connection is possible but validation fails


Expected results:
SSL cert should be uploaded correctly / combined properly


Additional info:
Workaround:

1. Combine the certificate with the bundle into one file
2. Upload that file as the certificate
3. Do not upload any file for the chain file
4. Upload key file
5. Enter passphrase, and hit submit

Combine Process:
1. Open your certificate and chain file in a text editor. 
2. Copy all of the contents from your chain file and paste them directly below the -----END CERTIFICATE----- line in your certificate. 
3. Save the certificate file
4. Use this file to upload as the certificate
5. Do NOT choose to upload a bulk/chain file
6. Upload your private key file
7. Enter the certificate passphrase if you have one
8. Click save.
Comment 1 Fabiano Franz 2013-07-30 20:19:39 UTC 
Waiting on customer response through the Red Hat Customer Portal.
Comment 2 Fabiano Franz 2013-07-30 20:59:37 UTC 
Pull request: https://github.com/openshift/origin-server/pull/3232
Comment 3 openshift-github-bot 2013-07-31 16:33:48 UTC 
Commits pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/86417253196d6caa23e192a53fb767debbbc3b06
Bug 985952 - strip certificate content when appending chain

https://github.com/openshift/origin-server/commit/672edbaca33aa8ddbecb4b498b19fb7dab4078da
Bug 985952 - should not touch certificate if chain was not provided
Comment 4 Yujie Zhang 2013-08-01 06:03:47 UTC 
Tested on devenv-stage_429, the crt can be added successfully when combining the chain file to the crt file, so verify this bug ,thanks.