This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1281901 - https using letsencrypt has B rating - chain incomplete
https using letsencrypt has B rating - chain incomplete
Status: CLOSED WONTFIX
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Sally
DeShuai Ma
:
Depends On:
Blocks: 1310266
  Show dependency treegraph
 
Reported: 2015-11-13 13:16 EST by lucas0033@gmail.com
Modified: 2017-05-31 14:22 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1310266 (view as bug list)
Environment:
Last Closed: 2017-05-31 14:22:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description lucas0033@gmail.com 2015-11-13 13:16:39 EST
Description of problem: 
I tried to add letsencrypt certificate to openshift. I uploaded cert.pem + chain.pem + priv.pem and I got https working, but with B rating and chain incomplete message. When I used only fullchain.pem + priv.pem https worked and I got A record - chain was complete. More info can be found here - https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665


Version-Release number of selected component (if applicable): Openshift v2


How reproducible: 
Apply letsencrypt certificate to openshift v2 using cert.pem + chain.pem + priv.pem

Actual results: 
B rating and chain incomplete


Expected results:
A rating and chain complete


Additional info:
Comment 1 Miciah Dashiel Butler Masters 2015-12-01 11:54:13 EST
It is possible that the problem lies in the normalization of encoding, whitespace, etc. that the management console performs when one uploads certificates.  Do you see the same problem when you use the rhc command-line tool instead of the Web-based management console to upload the certificates?

Here is documentation on installing the rhc client tool:   https://developers.openshift.com/en/managing-client-tools.html

Here is documentation on uploading certificates using rhc:   https://developers.openshift.com/en/managing-domains-ssl.html#_command_line_rhc

If you can answer the above question, that will help us narrow down whether the problem is in the management console, our httpd configuration, or possibly somewhere else.  Thanks!
Comment 2 lucas0033@gmail.com 2015-12-01 12:19:08 EST
Hi,
I am missing chain parameter in rhc:

rhc alias update-cert <application_name> <domain_name> --certificate <cert_file> --private-key <key_file>
Comment 3 Sally 2016-01-05 11:48:33 EST
I believe one fix will solve this + 2 other current bzs:

https://bugzilla.redhat.com/show_bug.cgi?id=1269637
https://bugzilla.redhat.com/show_bug.cgi?id=1268317

Solution could be to remove the 'SSL Certificate Chain' field in the web console, and to document clearly that cert + chain should be concatenated manually (cert 1st, then chain) and uploaded in the 'SSL Certificate*' field as a 'fullchainfile.pem' OR user should upload the 'fullchain.pem' if SSL cert provider automatically concatenates the cert + chain (letsencrypt does).

This solution makes sense, especially since there is no 'SSL Certificate Chain' upload option in the rhc tool.  The rhc tool options should match the web console options, correct?
Comment 4 weiwei jiang 2016-01-31 22:07:01 EST
Checked with devenv_5760, and the Cert Chain Field has been removed.
And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
Comment 5 Eric Paris 2017-05-31 14:22:11 EDT
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.

Note You need to log in before you can comment on or make changes to this bug.