1309435 – namedCertificates do not match the wild card certificate

Bug 1309435 - namedCertificates do not match the wild card certificate

Summary: namedCertificates do not match the wild card certificate

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	3.1.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jordan Liggitt
QA Contact:	weiwei jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	130
TreeView+	depends on / blocked

Reported:	2016-02-17 19:45 UTC by Kenny Woodson
Modified:	2016-10-30 22:55 UTC (History)
CC List:	5 users (show)
Fixed In Version:	atomic-openshift-3.1.1.905-1.git.0.ef5902f.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-12 16:29:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1064	0	normal	SHIPPED_LIVE	Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update	2016-05-12 20:19:17 UTC

Description Kenny Woodson 2016-02-17 19:45:11 UTC

Description of problem:

When installing and configuring a cluster recently we added our SSL certificate to the master-config file and we added our configuration to the namedCertificates.  

master-config.yml:
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/star_tsi_openshift_com.crt
    keyFile: /etc/origin/master/named_certificates/tsi.key
    names:
    - "api.tsi.openshift.com"
    - "console.tsi.openshift.com"

We then proceeded to see this error:

Feb 17 13:17:07 ip-172-31-48-111.ec2.internal atomic-openshift-master-controllers[33594]: W0217 13:17:07.639989   33594 start_master.go:269] servingInfo.namedCertificates[0].names[0]: invalid value 'api.tsi.openshift.com', Details: the specified certificate does not have a CommonName or DNS subjectAltName that matches this name
Feb 17 13:17:07 ip-172-31-48-111.ec2.internal atomic-openshift-master-controllers[33594]: W0217 13:17:07.640112   33594 start_master.go:269] servingInfo.namedCertificates[0].names[1]: invalid value 'config.tsi.openshift.com', Details: the specified certificate does not have a CommonName or DNS subjectAltName that matches this name


The certificate is a wild card certificate:
Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat Inc.,CN=*.tsi.openshift.com


SLL command:
openssl x509 -in /etc/origin/master/named_certificates/star_tsi_openshift_com.crt -text -noout | grep -A 1 "Subject Alternative Name"
            X509v3 Subject Alternative Name:
                DNS:*.tsi.openshift.com, DNS:tsi.openshift.com





Version-Release number of selected component (if applicable):
3.1.1.6-2

How reproducible:
I'm not sure but we saw this on a fresh create and using the openshift-ansible byo playbooks.

Steps to Reproduce:
1. Set the values in /etc/origin/master-config.yml correctly. (those mentioned above)
2.  Attempt to start the master service. 
systemctl restart atomic-openshift-master-controllers.service
3. Look for the error message in the journal.  
journalctl -lu atomic-openshift-master-controllers

Actual results:
We are seeing that the wild card does not match the names given.

Expected results:
The names should match and we should not see the error.

Additional info:

Comment 1 Jordan Liggitt 2016-02-17 19:52:14 UTC

Fixed in https://github.com/openshift/origin/pull/7399

Comment 2 Jordan Liggitt 2016-02-19 15:09:50 UTC

Hostname verification merged upstream in https://github.com/openshift/origin/pull/7399

Comment 3 weiwei jiang 2016-02-23 09:59:10 UTC

Checked with devenv-rhel7_3509 and 
openshift v3.1.1.905
kubernetes v1.2.0-alpha.7-703-gbc4550d
etcd 2.2.5

The bug can not be reproduced.

Comment 5 errata-xmlrpc 2016-05-12 16:29:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064

Note You need to log in before you can comment on or make changes to this bug.