Description of problem: When user add alias for his app, routing-daemon will create nginx conf file which is listening on 0.0.0.0:443 When user upload his own ssl cert for his alias, routing-daemon will create another nginx conf file which is also listening on 0.0.0.0:443 They are conflicting, that would cause one of them does not take effect. Version-Release number of selected component (if applicable): rubygem-openshift-origin-routing-daemon-0.17.1.6-1.el6op.noarch How reproducible: Always Steps to Reproduce: 1.Create a scalable app. 2.add alias for this app. 3.Upload his own ssl cert for this alias. $ rhc alias update-cert scaruby18app www.app1.com --certificate server.crt --private-key server.key SSL certificate successfully added. 4. Edit /etc/hosts to add nginx host IP to alias mapping 10.66.79.158 www.app1.com # on 10.66.79.158, routing-daemon and nginx is running. 5. Try to curl app's page using cert via alias Actual results: $ curl --cacert server.crt https://www.app1.com|grep title % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. I could find the following message. ==> /var/log/nginx16/error.log <== 2014/11/21 17:39:51 [warn] 25193#0: conflicting server name "www.app1.com" on 0.0.0.0:443, ignored # pwd /opt/rh/nginx16/root/etc/nginx/conf.d # cat cert_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf server { listen 443 ssl; server_name www.app1.com; ssl_certificate /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.crt; ssl_certificate_key /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.key; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } # cat alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf server { listen 80; server_name www.app1.com; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } server { listen 443 ssl; server_name www.app1.com; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } Obviously, both two conf files are listening on 443 with the same server name - "www.app1.com". After I comment out 443 directive in alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf, everything works well. Expected results: There should be only one config file for listening 443 port. Now the name routing for alias is alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf, so suggest when user add alias for his app, create two conf files, one file is for 80, another is for 443. E.g: # cat alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf server { listen 80; server_name www.app1.com; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } # cat alias_pool_ose_scaruby18app_jialiu_443_www.app1.com.conf server { listen 443 ssl; server_name www.app1.com; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } When user update alias cert, routing daemon should only change alias_pool_ose_scaruby18app_jialiu_443_www.app1.com.conf to add cert file location just like the following, that would avoid such conflicting. # cat alias_pool_ose_scaruby18app_jialiu_443_www.app1.com.conf server { listen 443 ssl; server_name www.app1.com; ssl_certificate /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.crt; ssl_certificate_key /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.key; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } Additional info:
Great idea on the solution for this. I've opened a PR upstream for this patch. https://github.com/openshift/origin-server/pull/5974 I'll get it merged into enterprise-server once it's upstream.
Verified this bug with rubygem-openshift-origin-routing-daemon-0.20.2.3-1.el6op.noarch, and PASS. Now only one config nginx file for alias is built. [root@dhcp-128-178 conf.d]# pwd /opt/rh/nginx16/root/etc/nginx/conf.d [root@dhcp-128-178 conf.d]# ls alias_pool_ose_scaruby18app_jialiu_80_ha-scaruby18app-jialiu.example.com.conf pool_ose_scaruby18app_jialiu_80.conf www.app1.com.crt alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf server.conf www.app1.com.key [root@dhcp-128-178 conf.d]# cat alias_pool_ose_scaruby18app_jialiu_80_www.app1.com.conf server { listen 80; server_name www.app1.com; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } server { listen 443 ssl; ssl_certificate /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.crt; ssl_certificate_key /opt/rh/nginx16/root/etc/nginx/conf.d/www.app1.com.key; server_name www.app1.com; location / { proxy_pass http://pool_ose_scaruby18app_jialiu_80; } } $ curl --cacert server.crt https://www.app1.com|grep title % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 <title>Welcome to OpenShift</title> 100 39604 100 39604 0 0 232k 0 --:--:-- --:--:-- --:--:-- 234k It works well.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-1979.html