1316698 – Re-Encrypt Termination destinationCACertificate ca-file not created when route does not include key and cert

Bug 1316698 - Re-Encrypt Termination destinationCACertificate ca-file not created when route does not include key and cert

Summary: Re-Encrypt Termination destinationCACertificate ca-file not created when rout...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Ram Ranganathan
QA Contact:	zhaozhanqi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-10 20:14 UTC by Ryan Howe
Modified:	2022-08-04 22:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-12 16:32:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1064	0	normal	SHIPPED_LIVE	Important: Red Hat OpenShift Enterprise 3.2 security, bug fix, and enhancement update	2016-05-12 20:19:17 UTC

Description Ryan Howe 2016-03-10 20:14:24 UTC

Description of problem:

When a Re-Encrypt Termination route is created the ca-file not created in /var/lib/containers/router/cacerts/<PROJECT><ROUTE_NAME>  when created with only destinationCACertificate, cert and key are not included due to wanting to use the routers "--default-cert"


Version-Release number of selected component (if applicable):
3.1.1.6

How reproducible:
100%

Steps to Reproduce:
1. Create route [1] 

2. `oc rsh router` 

3. $ grep bug haproxy.config                  
    backend be_secure_default_bug-reencrypt
    cookie OPENSHIFT_REENCRYPT_default_bug-reencrypt_SERVERID insert indirect nocache httponly secure
    server 10.1.5.18:5000 10.1.5.18:5000 ssl check inter 5000ms verify required ca-file /var/lib/containers/router/cacerts/default_bug-reencrypt.pem cookie 10.1.5.18:5000

4.ll /var/lib/containers/router/cacerts/ -a
  total 8
  drwxrwxrwx. 2 root root   37 Mar 10 14:33 .
  drwxrwxrwx. 4 root root   50 Mar  9 10:29 ..
  -rw-r--r--. 1 root root 4109 Mar 10 14:33 default_test-secured.pem


Actual results:


  [ALERT] 056/103231 (25235) : Proxy 'default_bug-reencrypt', server '10.1.0.66:8443' [/var/lib/haproxy/conf/haproxy.config:302] unable to load CA file '/var/lib/containers/router/cacerts/default_bug-reencrypt.pem'.
  [ALERT] 056/103231 (25235) : Fatal errors found in configuration.


Expected results:

Work with the default certs and the supplied destinationCACertificate for a Re-Encrypt Termination route


Additional info:

[1] BUG route object

$ oc get route bug-reencrypt -o yaml 
apiVersion: v1
items:
- apiVersion: v1
  kind: Route
  metadata:
    creationTimestamp: 2016-03-10T19:39:30Z
    name: bug-reencrypt
    namespace: default
    resourceVersion: "1199068"
    selfLink: /oapi/v1/namespaces/default/routes/bug-reencrypt
    uid: ce9d4308-e6f7-11e5-ae52-fa163eb4e380
  spec:
    host: www.bug.com
    tls:
      destinationCACertificate: |-
        -----BEGIN CERTIFICATE-----
        XXXXXX CONTENTS HERE XXXXXX
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        XXXXXX CONTENTS HERE XXXXXX
        -----END CERTIFICATE-----
      termination: reencrypt
    to:
      kind: Service
      name: docker-registry
  status: {}

[2] Control Test to ensure it works when including all data: 

# oc route get test-secured -o yaml

  apiVersion: v1
  kind: Route
  metadata:
    creationTimestamp: 2016-03-10T18:57:48Z
    name: test-secured
    namespace: default
    resourceVersion: "1194643"
    selfLink: /oapi/v1/namespaces/default/routes/test-secured
    uid: fb8d2884-e6f1-11e5-ae52-fa163eb4e380
  spec:
    host: www.test.com
    tls:
      certificate: |-
        -----BEGIN CERTIFICATE-----
        XXXXXX CONTENTS HERE XXXXXX
      destinationCACertificate: |-
        -----BEGIN CERTIFICATE-----
        XXXXXX CONTENTS HERE XXXXXX
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
         XXXXXX CONTENTS HERE XXXXXX
        -----END CERTIFICATE-----
      key: |-
        -----BEGIN PRIVATE KEY-----
         XXXXXX CONTENTS HERE XXXXXX
        -----END PRIVATE KEY-----
      termination: reencrypt
    to:
      kind: Service
      name: docker-registry
  status: {}
kind: List
metadata: {}


$ ll /var/lib/containers/router/cacerts/ -a
  total 8
  drwxrwxrwx. 2 root root   37 Mar 10 14:33 .
  drwxrwxrwx. 4 root root   50 Mar  9 10:29 ..
  -rw-r--r--. 1 root root 4109 Mar 10 14:33 default_test-secured.pem

$ oc rsh -n default router-5-6wo5k
[root@rnode5 conf]# grep "test-secured" haproxy.config       
backend be_secure_default_test-secured
  cookie OPENSHIFT_REENCRYPT_default_test-secured_SERVERID insert indirect nocache httponly secure
  server 10.1.5.18:5000 10.1.5.18:5000 ssl check inter 5000ms verify required ca-file /var/lib/containers/router/cacerts/default_test-secured.pem cookie 10.1.5.18:5000

Comment 1 Ben Bennett 2016-03-11 17:26:10 UTC

Same issue: https://github.com/openshift/origin/issues/7444

Comment 2 Ram Ranganathan 2016-03-14 18:37:45 UTC

Fix in PR: https://github.com/openshift/origin/pull/8003

Comment 3 zhaozhanqi 2016-03-16 08:40:28 UTC

verified this bug on origin (devenv_rhel_3734) with version

oc v1.1.4-16-gb5da002
kubernetes v1.2.0-origin-41-g91d3e75
openshift/origin-haproxy-router          latest              e5fb8a74d31b        14 hours ago        417.4 MB

steps: 

1. create default-cert file 'cloudapps.router.pem' and it is uing '*.example2.com'
# openssl x509 -in cloudapps.router.pem -noout -text |grep -i "subject:"
        Subject: CN=*.example2.com

2.Create router with --default-cert cloudapps.router.pem

3. Create app/service/route
 
    cat reencry.json
 {
    "kind": "Route",
    "apiVersion": "v1",
    "metadata": {
        "name": "route-reencrypt"
    },
    "spec": {
        "host": "www.example2.com",
        "to": {
            "kind": "Service",
            "name": "hello-nginx"
        },
        "tls": {
        "termination": "reencrypt",
        "destinationCACertificate": "-----BEGIN CERTIFICATE-----\nMIIEFzCCAv+gAwIBAgIJALK1iUpF2VQLMA0GCSqGSIb3DQEBBQUAMIGhMQswCQYD\nVQQGEwJVUzELMAkGA1UECAwCU0MxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoG\nA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEQMA4GA1UECwwHVGVzdCBDQTEaMBgG\nA1UEAwwRd3d3LmV4YW1wbGVjYS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVA\nZXhhbXBsZS5jb20wHhcNMTUwMTEyMTQxNTAxWhcNMjUwMTA5MTQxNTAxWjCBoTEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlNDMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkx\nHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEDAOBgNVBAsMB1Rlc3QgQ0Ex\nGjAYBgNVBAMMEXd3dy5leGFtcGxlY2EuY29tMSIwIAYJKoZIhvcNAQkBFhNleGFt\ncGxlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nw2rK1J2NMtQj0KDug7g7HRKl5jbf0QMkMKyTU1fBtZ0cCzvsF4CqV11LK4BSVWaK\nrzkaXe99IVJnH8KdOlDl5Dh/+cJ3xdkClSyeUT4zgb6CCBqg78ePp+nN11JKuJlV\nIG1qdJpB1J5O/kCLsGcTf7RS74MtqMFo96446Zvt7YaBhWPz6gDaO/TUzfrNcGLA\nEfHVXkvVWqb3gqXUztZyVex/gtP9FXQ7gxTvJml7UkmT0VAFjtZnCqmFxpLZFZ15\n+qP9O7Q2MpsGUO/4vDAuYrKBeg1ZdPSi8gwqUP2qWsGd9MIWRv3thI2903BczDc7\nr8WaIbm37vYZAS9G56E4+wIDAQABo1AwTjAdBgNVHQ4EFgQUugLrSJshOBk5TSsU\nANs4+SmJUGwwHwYDVR0jBBgwFoAUugLrSJshOBk5TSsUANs4+SmJUGwwDAYDVR0T\nBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaMJ33zAMV4korHo5aPfayV3uHoYZ\n1ChzP3eSsF+FjoscpoNSKs91ZXZF6LquzoNezbfiihK4PYqgwVD2+O0/Ty7UjN4S\nqzFKVR4OS/6lCJ8YncxoFpTntbvjgojf1DEataKFUN196PAANc3yz8cWHF4uvjPv\nWkgFqbIjb+7D1YgglNyovXkRDlRZl0LD1OQ0ZWhd4Ge1qx8mmmanoBeYZ9+DgpFC\nj9tQAbS867yeOryNe7sEOIpXAAqK/DTu0hB6+ySsDfMo4piXCc2aA/eI2DCuw08e\nw17Dz9WnupZjVdwTKzDhFgJZMLDqn37HQnT6EemLFqbcR0VPEnfyhDtZIQ==\n-----END CERTIFICATE-----"
     }

    }
}

4. Check the route

  # curl --resolve www.example2.com:443:127.0.0.1 https://www.example2.com --cacert /root/cloudapps.router.pem 
Hello World

since this bug reported in 'OSE', so firstly changed to status to 'modify' now, please help update to 'ON_QA' once it is merged to OSE. I will verify it.thanks

Comment 4 Troy Dawson 2016-03-16 20:43:03 UTC

This should be in the v3.2.0.4 build which was created today.

Comment 5 zhaozhanqi 2016-03-17 05:04:04 UTC

verified this bug on with steps comment 3 using the following version

# oc version
oc v3.2.0.4
kubernetes v1.2.0-origin-41-g91d3e75

Comment 7 errata-xmlrpc 2016-05-12 16:32:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064

Note You need to log in before you can comment on or make changes to this bug.