Bug 1256692 - When use inconsistent owner of signer key and serial file to create certificate meet crash error
When use inconsistent owner of signer key and serial file to create certifica...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Auth (Show other bugs)
3.x
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Jordan Liggitt
weiwei jiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-25 05:32 EDT by DeShuai Ma
Modified: 2016-10-30 18:54 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 13:09:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description DeShuai Ma 2015-08-25 05:32:26 EDT
Description of problem:
When use "oadm ca create-server-cert" to create a key and server certificate, 
if the owner of signer key and serial file is inconsistent, it always failed with "panic: runtime error: invalid memory address or nil pointer dereference"

Version-Release number of selected component (if applicable):
openshift v1.0.4-502-g96963b6
kubernetes v1.1.0-alpha.0-1605-g44c91b1

How reproducible:
Always

Steps to Reproduce:
1.Check the file ca privilege
[fedora@ip-10-237-174-172 sample-app]$ ls -l ca.*
-rw-r--r--. 1 fedora fedora 1066 Aug 25 01:49 ca.crt
-rw-------. 1 fedora fedora 1675 Aug 25 01:49 ca.key
-rw-r--r--. 1 fedora fedora    2 Aug 25 09:10 ca.serial.txt

2.Create a key and server certificate
[fedora@ip-10-237-174-172 sample-app]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.30.24.194' --cert=registry.crt --key=registry.key --v=6
I0825 09:19:27.146680    5635 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc2080e47c0), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:util.StringList{"docker-registry.dma1.svc.cluster.local", "172.30.24.194"}, Overwrite:true, Output:(*os.File)(0xc20802e008)}
I0825 09:19:27.494220    5635 crypto.go:218] Generating server certificate in registry.crt, key in registry.key
I0825 09:19:27.974290    5635 create_servercert.go:121] Generated new server certificate as registry.crt, key as registry.key

3.Change ca.serial.txt owner to root:root
[fedora@ip-10-237-174-172 sample-app]$ sudo chown root:root ca.serial.txt
[fedora@ip-10-237-174-172 sample-app]$ ls -l ca.*
-rw-r--r--. 1 fedora fedora 1066 Aug 25 01:49 ca.crt
-rw-------. 1 fedora fedora 1675 Aug 25 01:49 ca.key
-rw-r--r--. 1 root   root      2 Aug 25 09:19 ca.serial.txt

4. Create a key and server certificate again
[fedora@ip-10-237-174-172 sample-app]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.30.24.194' --cert=registry.crt --key=registry.key --v=6
I0825 09:21:09.348837    5710 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc2080e4800), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:util.StringList{"docker-registry.dma1.svc.cluster.local", "172.30.24.194"}, Overwrite:true, Output:(*os.File)(0xc20802e008)}
I0825 09:21:10.129751    5710 crypto.go:218] Generating server certificate in registry.crt, key in registry.key
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0xbb979c]

goroutine 1 [running]:
github.com/openshift/origin/pkg/cmd/server/crypto.encodeCertificates(0xc2081fd0e0, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:429 +0x2bc
github.com/openshift/origin/pkg/cmd/server/crypto.writeCertificates(0x7fff5128c547, 0xc, 0xc2081fd0e0, 0x2, 0x2, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:463 +0xdf
github.com/openshift/origin/pkg/cmd/server/crypto.(*TLSCertificateConfig).writeCertConfig(0xc20833f200, 0x7fff5128c547, 0xc, 0x7fff5128c55a, 0xc, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:43 +0x67
github.com/openshift/origin/pkg/cmd/server/crypto.(*CA).MakeServerCert(0xc20833ecc0, 0x7fff5128c547, 0xc, 0x7fff5128c55a, 0xc, 0xc20833ecf0, 0x7fff5128c56b, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:227 +0x5b2
github.com/openshift/origin/pkg/cmd/server/admin.CreateServerCertOptions.CreateServerCert(0xc2080e4800, 0x7fff5128c547, 0xc, 0x7fff5128c55a, 0xc, 0xc208348340, 0x2, 0x2, 0x1, 0x7f3e3215e6f0, ...)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:116 +0x224
github.com/openshift/origin/pkg/cmd/server/admin.func·013(0xc2083276c0, 0xc208320d20, 0x0, 0x7)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:59 +0x139
github.com/spf13/cobra.(*Command).execute(0xc2083276c0, 0xc208320c40, 0x7, 0x7, 0x0, 0x0)
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:477 +0x3d4
github.com/spf13/cobra.(*Command).Execute(0xc208036b60, 0x0, 0x0)
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:551 +0x414
main.main()
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/cmd/openshift/openshift.go:22 +0x175

goroutine 5 [syscall]:
os/signal.loop()
	/usr/lib/golang/src/os/signal/signal_unix.go:21 +0x1f
created by os/signal.init·1
	/usr/lib/golang/src/os/signal/signal_unix.go:27 +0x35

goroutine 8 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0x401e4a0)
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:879 +0x78
created by github.com/golang/glog.init·1
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:410 +0x2a7

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:2232 +0x1

Actual results:
4.crash with error "panic: runtime error: invalid memory address or nil pointer dereference"

Expected results:
4.Should not fail or tip info not crash.

Additional info:
Comment 1 Jordan Liggitt 2016-02-12 13:15:31 EST
Fixed in https://github.com/openshift/origin/pull/7153
Comment 2 DeShuai Ma 2016-02-14 00:34:34 EST
[fedora@ip-172-18-7-137 master]$ openshift version
openshift v1.1.1-21-gbc1a879
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.2.2

[fedora@ip-172-18-7-137 master]$ ls -l ca*
-rw-r--r--. 1 fedora fedora 1066 Feb 14 05:15 ca.crt
-rw-------. 1 fedora fedora 1675 Feb 14 05:15 ca.key
-rw-r--r--. 1 root   root      2 Feb 14 05:26 ca.serial.txt
[fedora@ip-172-18-7-137 master]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.18.7.137' --cert=registry.crt --key=registry.key --v=6
I0214 05:30:55.286711    8312 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc20850a0c0), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:[]string{"docker-registry.dma1.svc.cluster.local", "172.18.7.137"}, Overwrite:true, Output:(*os.File)(0xc20802e008)}
I0214 05:30:55.428845    8312 crypto.go:249] Generating server certificate in registry.crt, key in registry.key
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0xcfabfc]

goroutine 1 [running]:
github.com/openshift/origin/pkg/cmd/server/crypto.encodeCertificates(0xc2084e0560, 0x2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:467 +0x2bc
github.com/openshift/origin/pkg/cmd/server/crypto.writeCertificates(0x7fff1cc4351b, 0xc, 0xc2084e0560, 0x2, 0x2, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:501 +0xdf
github.com/openshift/origin/pkg/cmd/server/crypto.(*TLSCertificateConfig).writeCertConfig(0xc2083eee40, 0x7fff1cc4351b, 0xc, 0x7fff1cc4352e, 0xc, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:71 +0x67
github.com/openshift/origin/pkg/cmd/server/crypto.(*CA).MakeServerCert(0xc2083eae70, 0x7fff1cc4351b, 0xc, 0x7fff1cc4352e, 0xc, 0xc2083eb230, 0x1, 0x0, 0x0)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/crypto/crypto.go:258 +0x5b2
github.com/openshift/origin/pkg/cmd/server/admin.CreateServerCertOptions.CreateServerCert(0xc20850a0c0, 0x7fff1cc4351b, 0xc, 0x7fff1cc4352e, 0xc, 0xc20851e7a0, 0x2, 0x2, 0x1, 0x7f41701a5530, ...)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:116 +0x224
github.com/openshift/origin/pkg/cmd/server/admin.func·015(0xc208503c00, 0xc2085107e0, 0x0, 0x7)
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/cmd/server/admin/create_servercert.go:59 +0x139
github.com/spf13/cobra.(*Command).execute(0xc208503c00, 0xc208510700, 0x7, 0x7, 0x0, 0x0)
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:572 +0x82f
github.com/spf13/cobra.(*Command).ExecuteC(0xc2084e8000, 0xc208503c00, 0x0, 0x0)
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:662 +0x4db
github.com/spf13/cobra.(*Command).Execute(0xc2084e8000, 0x0, 0x0)
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/spf13/cobra/command.go:618 +0x3a
main.main()
	/go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/cmd/openshift/openshift.go:22 +0x175

goroutine 5 [syscall]:
os/signal.loop()
	/usr/lib/golang/src/os/signal/signal_unix.go:21 +0x1f
created by os/signal.init·1
	/usr/lib/golang/src/os/signal/signal_unix.go:27 +0x35

goroutine 10 [chan receive]:
github.com/golang/glog.(*loggingT).flushDaemon(0x4cdab20)
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:879 +0x78
created by github.com/golang/glog.init·1
	/go/src/github.com/openshift/origin/Godeps/_workspace/src/github.com/golang/glog/glog.go:410 +0x2a7

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
	/usr/lib/golang/src/runtime/asm_amd64.s:2232 +0x1
Comment 3 Jordan Liggitt 2016-02-16 02:21:04 EST
This is fixed in master, but has not been tagged into a release yet.
Comment 4 DeShuai Ma 2016-02-17 00:07:45 EST
Verify this on the latest origin.
[fedora@ip-172-18-14-193 master]$ openshift version
openshift v1.1.2-301-gcf704a1
kubernetes v1.2.0-origin
etcd 2.2.2+git

[fedora@ip-172-18-14-193 master]$ ls -l ca*
-rw-r--r--. 1 fedora fedora 1070 Feb 17 04:49 ca.crt
-rw-------. 1 fedora fedora 1679 Feb 17 04:49 ca.key
-rw-r--r--. 1 root   root      2 Feb 17 04:49 ca.serial.txt
[fedora@ip-172-18-14-193 master]$ oadm ca create-server-cert --signer-cert=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='docker-registry.dma1.svc.cluster.local,172.18.7.137' --cert=registry.crt --key=registry.key --v=6
I0217 05:06:33.096226    6223 create_servercert.go:106] Creating a server cert with: admin.CreateServerCertOptions{SignerCertOptions:(*admin.SignerCertOptions)(0xc82048af00), CertFile:"registry.crt", KeyFile:"registry.key", Hostnames:[]string{"docker-registry.dma1.svc.cluster.local", "172.18.7.137"}, Overwrite:true, Output:(*os.File)(0xc82002c010)}
I0217 05:06:33.097217    6223 crypto.go:249] Generating server certificate in registry.crt, key in registry.key
I0217 05:06:33.303345    6223 create_servercert.go:121] Generated new server certificate as registry.crt, key as registry.key
F0217 05:06:33.303399    6223 helpers.go:104] error: open ca.serial.txt: permission denied

Note You need to log in before you can comment on or make changes to this bug.