Bug 1312853 - [Docs] SSL Certificate generation instructions don't configure correctly the subject alternative names
[Docs] SSL Certificate generation instructions don't configure correctly the ...
Status: CLOSED CURRENTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
8.0 (Liberty)
Unspecified Unspecified
unspecified Severity high
: ga
: 8.0 (Liberty)
Assigned To: Charelle Collett
RHOS Documentation Team
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-29 06:58 EST by Marius Cornea
Modified: 2017-02-22 20:34 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-22 20:34:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marius Cornea 2016-02-29 06:58:58 EST
Description of problem:

The SSL Certificate generation instructions don't configure correctly the subject alternative names and the deployment only works when the CN is set to the public vip. 

I am using the instructions here[1]to generate a certificate used for undercloud deployment. This is how the alt_names section looks in my openssl.cnf:

[alt_names]
IP.1 = 192.0.2.2
DNS.1 = instack.localdomain
DNS.2 = vip.localdomain

In addition to the instructions I added the cert to the system trusted store which is required for OSP8:

sudo cp undercloud.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract 

curl https://192.0.2.2:13777 works ok:
[stack@instack ~]$ curl https://192.0.2.2:13777
Authentication required

curl https://vip.localdomain:13777 fails:
[stack@instack ~]$ curl https://vip.localdomain:13777
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

vip.localdomain resolves to 192.0.2.2 in /etc/hosts. 

If we check the generated certificate we can see that there is no X509v3 Subject Alternative Name extension:

[stack@instack ~]$ openssl x509 -in undercloud.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9309607435479309949 (0x81325ea35e145e7d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AU, ST=Queensland, L=Brisbane, O=Red Hat, OU=Red Hat, CN=192.0.2.2
        Validity
            Not Before: Feb 29 11:19:31 2016 GMT
            Not After : Feb 28 11:19:31 2017 GMT
        Subject: C=AU, ST=Queensland, L=Brisbane, O=Red Hat, OU=Red Hat, CN=192.0.2.2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:4d:b4:61:22:3b:0d:1b:6d:00:4d:36:c8:e3:
                    ed:8b:10:c6:9c:bb:59:9c:0b:d6:55:82:f5:ff:59:
                    9a:c8:e2:e4:44:30:8a:eb:61:b7:18:87:56:75:43:
                    d1:19:97:77:a9:9d:e3:db:36:93:01:0e:81:80:a0:
                    34:2a:15:b8:cd:e8:3a:b9:58:ec:d0:09:bf:ae:ad:
                    8b:a8:23:91:b1:41:3f:c7:ac:fa:cd:51:da:89:d2:
                    bc:f3:b4:33:21:e0:88:0b:fd:f8:8a:ea:98:59:55:
                    53:3e:2b:06:29:6f:59:6b:db:ee:27:2b:a2:4d:10:
                    db:f8:15:fd:dd:ce:4f:a4:19:16:81:29:1d:6b:80:
                    67:0f:da:17:14:29:04:63:a3:33:4b:9d:cd:d6:c6:
                    99:66:c5:d0:48:db:0d:45:7a:db:5e:df:1f:86:7d:
                    57:ef:c0:8e:06:5a:50:8d:84:84:52:3f:50:3b:af:
                    85:fb:a8:84:26:67:41:8d:28:13:c2:6c:b4:f8:87:
                    c9:0e:12:44:35:51:ec:80:ac:3a:e3:94:08:f3:81:
                    9a:14:46:1b:0d:7e:d5:ee:8e:aa:9d:75:95:7b:d3:
                    08:f8:1f:49:e8:04:6b:ce:26:60:b2:c6:79:ec:10:
                    0c:08:b8:fb:f3:f2:fe:9e:67:f3:1f:eb:49:7b:be:
                    85:69
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                49:97:C2:44:B1:10:FA:80:FE:D8:D5:29:BE:F4:53:FA:08:0B:C8:70
            X509v3 Authority Key Identifier: 
                keyid:49:97:C2:44:B1:10:FA:80:FE:D8:D5:29:BE:F4:53:FA:08:0B:C8:70

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         3e:68:df:7f:ea:a4:99:52:1d:56:e4:35:bf:cd:1b:e5:2f:da:
         68:f2:24:60:53:22:1d:ac:10:bc:a8:53:74:69:ba:c0:dd:0b:
         fe:eb:03:cc:b5:67:06:fa:51:de:3a:b6:af:68:b4:cc:90:10:
         b8:49:c6:a4:48:ed:d2:a9:8e:c4:bc:37:15:e3:e6:65:2d:d1:
         ab:64:c0:b4:61:ae:a1:17:cd:2a:b6:ce:00:df:e7:66:64:37:
         97:3e:90:99:7b:a7:ca:3a:91:57:6f:44:fa:74:ba:28:ba:97:
         18:05:d0:62:56:56:43:52:c6:d9:27:61:87:ee:35:3d:e7:5d:
         d7:b4:eb:91:b4:a5:83:1c:ea:ee:49:07:33:91:dd:9a:47:87:
         6f:28:05:3c:f6:ff:82:3e:f0:ca:71:e8:78:f9:a0:0a:93:42:
         58:31:fd:bf:f3:51:16:aa:74:54:5f:94:7a:f2:72:95:df:d4:
         8f:ac:1a:c9:88:9e:a0:58:10:dd:b3:7a:78:c3:c9:ce:0b:7a:
         12:dc:91:6a:27:8d:ef:48:1e:ef:ff:03:6b:f2:0d:8f:f0:2d:
         44:68:c4:56:fb:26:3c:83:b7:16:ea:7a:79:75:71:c9:17:33:
         9a:05:20:bc:15:47:16:5e:e2:97:21:7d:d5:c4:b1:d3:22:51:
         e5:b9:3d:6f


[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/appe-SSL_Certificate_Configuration.html
Comment 1 Charelle Collett 2017-02-22 20:34:44 EST
Looks like this issue was addressed from these two previous bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1350736
https://bugzilla.redhat.com/show_bug.cgi?id=1341694

Note You need to log in before you can comment on or make changes to this bug.