Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1321179 - SSL overcloud deployment fails when the certificate contains the public vip in the SAN extension
SSL overcloud deployment fails when the certificate contains the public vip i...
Status: CLOSED NEXTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
12.0 (Pike)
Unspecified Unspecified
medium Severity high
: ---
: 12.0 (Pike)
Assigned To: Martin Lopes
RHOS Documentation Team
: Documentation, Triaged
Depends On: 1434114
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-24 16:57 EDT by Marius Cornea
Modified: 2017-11-06 00:57 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
OpenStack command-line clients that use `python-requests` can not currently validate certificates that have an IP address in the SAN field.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-06 00:57:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
san_ip.crt (2.05 KB, text/x-vhdl)
2016-03-24 16:57 EDT, Marius Cornea 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Marius Cornea 2016-03-24 16:57:11 EDT 
Created attachment 1140162 [details]
san_ip.crt

Description of problem:
SSL overcloud deployment fails when the certificate contains the public vip in the SAN extension. I updated the enable-tls.yaml to use ip address instead of hostname(sed -i 's/CLOUDNAME/IP_ADDRESS/').

The public VIP of the overcloud is 172.16.23.10. Deployment fails with the following error:

Authorization Failed: SSL exception connecting to https://172.16.23.10:13000/v2.0/tokens: hostname '172.16.23.10' doesn't match either of 'cloudy.net', 'overcloud.cloudy.net'

The certificate contains the SAN extension:
X509v3 Subject Alternative Name: 
    IP Address:172.16.23.10, IP Address:2001:DB8:FD00:1000:0:0:0:10, DNS:cloudy.net, DNS:overcloud.cloudy.net

curl seems to be working:
curl https://172.16.23.10:13000/v2.0/tokens
{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}} 

The overcloud deployment succeeds when using 'cloudy.net' as CloudName so I'd say the certificate validation is successful but I believe the openstack client does not check the IP address in the SAN extenstion. 

According to the RFC this should be suported:
https://tools.ietf.org/html/rfc2818#section-3.1
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch

How reproducible:
100%

Additional info:
Attaching the certificate.
Comment 2 Jaromir Coufal 2016-04-01 08:02:37 EDT 
doc_text for the release please
Comment 3 Mike Burns 2016-04-07 17:36:02 EDT 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 4 Juan Antonio Osorio 2016-10-23 05:02:26 EDT 
This should be fixed already.
Comment 5 Juan Antonio Osorio 2016-10-23 05:04:31 EDT 
wait, nevermind, I'll take a look.
Comment 14 Martin Lopes 2017-11-01 20:25:04 EDT 
Working on release notes entry.
Comment 16 Martin Lopes 2017-11-06 00:57:00 EST 
Discussed with Ozz, closing bug.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.