Bug 1309435 - namedCertificates do not match the wild card certificate
Summary: namedCertificates do not match the wild card certificate
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.1.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks: 130
TreeView+ depends on / blocked
 
Reported: 2016-02-17 19:45 UTC by Kenny Woodson
Modified: 2016-10-30 22:55 UTC (History)
5 users (show)

Fixed In Version: atomic-openshift-3.1.1.905-1.git.0.ef5902f.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-12 16:29:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1064 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update 2016-05-12 20:19:17 UTC

Description Kenny Woodson 2016-02-17 19:45:11 UTC
Description of problem:

When installing and configuring a cluster recently we added our SSL certificate to the master-config file and we added our configuration to the namedCertificates.  

master-config.yml:
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/star_tsi_openshift_com.crt
    keyFile: /etc/origin/master/named_certificates/tsi.key
    names:
    - "api.tsi.openshift.com"
    - "console.tsi.openshift.com"

We then proceeded to see this error:

Feb 17 13:17:07 ip-172-31-48-111.ec2.internal atomic-openshift-master-controllers[33594]: W0217 13:17:07.639989   33594 start_master.go:269] servingInfo.namedCertificates[0].names[0]: invalid value 'api.tsi.openshift.com', Details: the specified certificate does not have a CommonName or DNS subjectAltName that matches this name
Feb 17 13:17:07 ip-172-31-48-111.ec2.internal atomic-openshift-master-controllers[33594]: W0217 13:17:07.640112   33594 start_master.go:269] servingInfo.namedCertificates[0].names[1]: invalid value 'config.tsi.openshift.com', Details: the specified certificate does not have a CommonName or DNS subjectAltName that matches this name


The certificate is a wild card certificate:
Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat Inc.,CN=*.tsi.openshift.com


SLL command:
openssl x509 -in /etc/origin/master/named_certificates/star_tsi_openshift_com.crt -text -noout | grep -A 1 "Subject Alternative Name"
            X509v3 Subject Alternative Name:
                DNS:*.tsi.openshift.com, DNS:tsi.openshift.com





Version-Release number of selected component (if applicable):
3.1.1.6-2

How reproducible:
I'm not sure but we saw this on a fresh create and using the openshift-ansible byo playbooks.

Steps to Reproduce:
1. Set the values in /etc/origin/master-config.yml correctly. (those mentioned above)
2.  Attempt to start the master service. 
systemctl restart atomic-openshift-master-controllers.service
3. Look for the error message in the journal.  
journalctl -lu atomic-openshift-master-controllers

Actual results:
We are seeing that the wild card does not match the names given.

Expected results:
The names should match and we should not see the error.

Additional info:

Comment 1 Jordan Liggitt 2016-02-17 19:52:14 UTC
Fixed in https://github.com/openshift/origin/pull/7399

Comment 2 Jordan Liggitt 2016-02-19 15:09:50 UTC
Hostname verification merged upstream in https://github.com/openshift/origin/pull/7399

Comment 3 weiwei jiang 2016-02-23 09:59:10 UTC
Checked with devenv-rhel7_3509 and 
openshift v3.1.1.905
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5

The bug can not be reproduced.

Comment 5 errata-xmlrpc 2016-05-12 16:29:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064


Note You need to log in before you can comment on or make changes to this bug.