Red Hat Bugzilla – Bug 1268317
Intermediary SSL certificate chaines ignored by GUI preventing viewing from iOS devices
Last modified: 2017-05-31 14:22:11 EDT
Created attachment 1079450 [details]
Longer description of SSL missing intermediary chain.
Some SSL certificates require submission of intermediary certs to complete the signing chain from recognized Root CA to host key.
1. Add public key and private key (with no intermediary key) via command line. iOS do not recognized the signatory, and give you a warning (correct and expected behavior)
2. Add all three keys (public, private, and intermediary) through the GUI. Intermediary key does not get loaded.
3. Delete existing certificate using GUI. Load all three keys. Intermediary key does not get loaded.
4. Get reissued certificates originally from GoDaddy, now with Starfied.
5. Repeat (3), same results.
6. Delete existing certificate using GUI. Concatenate intermediary keys and public key (intermediary keys first). Load concatenated key and private key. GUI warning - incorrect private key provided.
7. (No existing certificate to be deleted). Concatenate public key and intermediary key (public key first). Load concatenated key and private key. BINGO! Success.
Attached is a full review of the SSL/TLS, with status from step (3). Note that the intermediary keys required are not found. It think the report calls it "extra download required." "Full" browsers, such as chrome, ff, and safari on your laptop, will go the extra mile and perform the download. Smartphone browsers often will not. I testing with iPhone and iPad.
Is there any chance you could attach the exact files that you are uploading through the GUI? The problem may be that we are not adequately normalising the input at that point, in which case it would be helpful to have the exact input.
Ping! Is this still an issue?
I was able to work around it (with the instructions above), and have not tried it since.
I can't give out the private key, so not sure it is of any help to provide the others.
Commit pushed to master at https://github.com/openshift/origin-server
Remove SSL Cert Chain Field from web console
Bug 1268317, Bug 1281901, Bug 1269637
Remove SSL Certificate Chain Field from web console.
Document that the user must concatenate SSL cert files into a single file to upload,
or upload the already-concatenated file included in the SSL certificate from
the SSL certificate provider.
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.