Red Hat Bugzilla – Bug 1269637
Updating TLS certificates does not update the chaining certificate
Last modified: 2017-05-31 14:22:11 EDT
Description of problem: I just updated the TLS certificate and key for securityblog.redhat.com. I put the chaining certificate in but it doesn't seem to be working. SSLLabs (https://www.ssllabs.com/ssltest/analyze.html?d=securityblog.redhat.com) still shows the intermediate certificate to be an extra download instead of being presented by the server.
I've reinstalled the certs several times and restarted the application to no avail.
To clarify, the intermediate certificate doesn't seem to be recognized when it is sent.
The reason your blog is currently working with https appears to be that the Red Hat *.rhcloud.com certificate is also signed by Digicert, who signed your certificate. Usually, without the intermediate, there would be more severe issues.
Speaking with one of our SSL experts on the support team, it looks like you need to include the whole certificate chain (certificate, root, and intermediate) when you upload the certificate to openshift. Take a look at this short article:
You should be able to simply `cat` your certificate, root, and intermediate into a single .crt file to upload to openshift. Please try that and, if you still have issues, open a support case with the GSS team.
This doesn't look to be affecting any other applications, as it is only this application that is having the issue. Closing this for now as NOTABUG since no other applications appear to be affected.
No, this is a bug and it appears to be specific to the GUI. When uploading the new certificate and intermediate certificate the new certificate takes effect but the intermediate certificate isn't used. One must concatenate the certificate and the intermediate certificate together to make everything work.
From what I was told on IRC, it would appear that the intermediate certificate entry on the GUI is new. Maybe that's where the problem lies?
This issue can be replicated on openshift v2 stg. Create a new certificate authority (using ca.sh or tinyca2), trust that CA in your browser, then generate a new key + certificate for an app. You'll need a working DNS entry so you can create an alias. Apply the key + certificate to the app. The intermediate certificate will not be applied.
Using the CLI, it's possible to work around this issue by concatenating the signed certificate and intermediate certificate (in that order):
cat install_openshift_com.crt DigiCert.CA > install.openshift.com.pem
rhc alias update-cert oo install.openshift.com --certificate install.openshift.com.pem --private-key install.openshift.com.key
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.