Red Hat Bugzilla – Bug 1023381
Can not successfully delete ssl certificates after migration
Last modified: 2015-05-14 19:31:34 EDT
Description of problem:
After migration, try to delete an ssl certificate that was added before upgrade took place, the action fails => Client shows certificate is deleted, but the certificate info is not removed from datastore and node.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create applications, add alias and ssl certificates on devenv-stage_528
2. Upgrade stage ami to latest and migrate
rhc-admin-migrate-datastore --compatible --version 2.0.35
oo-admin-upgrade upgrade-node --version 2.0.35 --ignore-cartridge-version
3. Try to delete one ssl certificate from the application
rhc alias-list -l email@example.com -p redhat sslapps
Alias Has Certificate? Certificate Added
----------- ---------------- -----------------
ns.ssl.test yes 2013-10-24
rhc alias delete-cert sslapp pl.ssl.test --confirm -l firstname.lastname@example.org -p redhat
SSL certificate successfully deleted.
4. Connect to mongo, and query the application, found the ssl certificate field is still true
"aliases" : [
"_id" : ObjectId("5269e7344b4e3f9e3800059d"),
"certificate_added_at" : ISODate("2013-10-24T00:00:00Z"),
"fqdn" : "pl.ssl.test",
"has_private_ssl_certificate" : true
5. Check /var/lib/openshift/.httpd.d , the certificates are deleted
6. Check the certificate info: curl -k -vvv https://pl.ssl.test/>/dev/null
The certificate is not removed:
* Server certificate:
* subject: E=test,CN=OpenShift,OU=HSS,O=RedHat,L=BJ,ST=BJ,C=CN
* start date: Apr 12 02:08:38 2013 GMT
* expire date: Apr 12 02:08:38 2014 GMT
* common name: OpenShift
* issuer: E=test,CN=OpenShift,OU=HSS,O=RedHat,L=BJ,ST=BJ,C=CN
> GET / HTTP/1.1
The certificate should be removed successfully
The actual issue is that the application save is failing due to validation failures in the deployments structure. The specific issue is that the activations array is empty and the validation code does not like that.
The options that we have are:
1) Relax the validations in the code
2) Migrate the applications with deployment structures to set the activation time at, say, creation time.
The deployment structure shown below is from the application created on stage devenv and then upgraded and migrated.
"deployments" : [
"deployment_id" : "2a7fc675",
"created_at" : ISODate("2013-10-29T00:05:05.484Z"),
"hot_deploy" : false,
"force_clean_build" : false,
"ref" : "master",
"sha1" : "",
"artifact_url" : null,
"activations" : [ ]
The issue is that we do not record an activation time during the gear upgrade.
Note; this fix should be verified on a devenv and will not affect the state of any apps in INT.
Broker side fix to validate deployments so that app is not set to an invalid state
Commit pushed to master at https://github.com/openshift/li
Fix bug 1023381: Add activation time during build-deploy upgrade
Commit pushed to master at https://github.com/openshift/origin-server
Checking deployment validations for bug 1023381, 1023304
Verified on devenv_3966
After migration, delete the ssl certificate, and query that app in datastore, the "has_private_ssl_certificate" flag is false. the cert is removed from mongo and node.