Bug 1268317 - Intermediary SSL certificate chaines ignored by GUI preventing viewing from iOS devices
Intermediary SSL certificate chaines ignored by GUI preventing viewing from i...
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Sally
Depends On:
  Show dependency treegraph
Reported: 2015-10-02 09:50 EDT by Erich Morisse
Modified: 2017-05-31 14:22 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-05-31 14:22:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Longer description of SSL missing intermediary chain. (480.63 KB, application/pdf)
2015-10-02 09:50 EDT, Erich Morisse
no flags Details

  None (edit)
Description Erich Morisse 2015-10-02 09:50:45 EDT
Created attachment 1079450 [details]
Longer description of SSL missing intermediary chain.

Some SSL certificates require submission of intermediary certs to complete the signing chain from recognized Root CA to host key. 

Steps taken:
1. Add public key and private key (with no intermediary key) via command line. iOS[89] do not recognized the signatory, and give you a warning (correct and expected behavior)
2. Add all three keys (public, private, and intermediary) through the GUI.  Intermediary key does not get loaded. 
3. Delete existing certificate using GUI. Load all three keys. Intermediary key does not get loaded.
4. Get reissued certificates originally from GoDaddy, now with Starfied.
5. Repeat (3), same results.
6. Delete existing certificate using GUI. Concatenate intermediary keys and public key (intermediary keys first). Load concatenated key and private key. GUI warning - incorrect private key provided.
7. (No existing certificate to be deleted). Concatenate public key and intermediary key (public key first). Load concatenated key and private key. BINGO! Success.

Attached is a full review of the SSL/TLS, with status from step (3). Note that the intermediary keys required are not found. It think the report calls it "extra download required." "Full" browsers, such as chrome, ff, and safari on your laptop, will go the extra mile and perform the download. Smartphone browsers often will not. I testing with iPhone and iPad.
Comment 1 Miciah Dashiel Butler Masters 2015-11-06 14:26:24 EST
Is there any chance you could attach the exact files that you are uploading through the GUI? The problem may be that we are not adequately normalising the input at that point, in which case it would be helpful to have the exact input.
Comment 2 Miciah Dashiel Butler Masters 2015-12-11 14:59:37 EST
Ping! Is this still an issue?
Comment 3 Erich Morisse 2015-12-11 15:05:25 EST
I was able to work around it (with the instructions above), and have not tried it since.

I can't give out the private key, so not sure it is of any help to provide the others.
Comment 4 openshift-github-bot 2016-01-27 15:39:35 EST
Commit pushed to master at https://github.com/openshift/origin-server

Remove SSL Cert Chain Field from web console

Bug 1268317, Bug 1281901, Bug 1269637
Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1268317
Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1281901
Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1269637

Remove SSL Certificate Chain Field from web console.
Document that the user must concatenate SSL cert files into a single file to upload,
or upload the already-concatenated file included in the SSL certificate from
the SSL certificate provider.
Comment 5 weiwei jiang 2016-01-31 22:06:53 EST
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
Comment 6 Eric Paris 2017-05-31 14:22:11 EDT
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.

Note You need to log in before you can comment on or make changes to this bug.