Bug 1321179 - SSL overcloud deployment fails when the certificate contains the public vip in the SAN extension
Summary: SSL overcloud deployment fails when the certificate contains the public vip i...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 12.0 (Pike)
Assignee: Martin Lopes
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On: 1434114
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-24 20:57 UTC by Marius Cornea
Modified: 2017-11-06 05:57 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
OpenStack command-line clients that use `python-requests` can not currently validate certificates that have an IP address in the SAN field.
Clone Of:
Environment:
Last Closed: 2017-11-06 05:57:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
san_ip.crt (2.05 KB, text/x-vhdl)
2016-03-24 20:57 UTC, Marius Cornea 		no flags Details
View All

Description Marius Cornea 2016-03-24 20:57:11 UTC 
Created attachment 1140162 [details]
san_ip.crt

Description of problem:
SSL overcloud deployment fails when the certificate contains the public vip in the SAN extension. I updated the enable-tls.yaml to use ip address instead of hostname(sed -i 's/CLOUDNAME/IP_ADDRESS/').

The public VIP of the overcloud is 172.16.23.10. Deployment fails with the following error:

Authorization Failed: SSL exception connecting to https://172.16.23.10:13000/v2.0/tokens: hostname '172.16.23.10' doesn't match either of 'cloudy.net', 'overcloud.cloudy.net'

The certificate contains the SAN extension:
X509v3 Subject Alternative Name: 
    IP Address:172.16.23.10, IP Address:2001:DB8:FD00:1000:0:0:0:10, DNS:cloudy.net, DNS:overcloud.cloudy.net

curl seems to be working:
curl https://172.16.23.10:13000/v2.0/tokens
{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}} 

The overcloud deployment succeeds when using 'cloudy.net' as CloudName so I'd say the certificate validation is successful but I believe the openstack client does not check the IP address in the SAN extenstion. 

According to the RFC this should be suported:
https://tools.ietf.org/html/rfc2818#section-3.1
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.12-2.el7ost.noarch

How reproducible:
100%

Additional info:
Attaching the certificate.
Comment 2 Jaromir Coufal 2016-04-01 12:02:37 UTC 
doc_text for the release please
Comment 3 Mike Burns 2016-04-07 21:36:02 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 4 Juan Antonio Osorio 2016-10-23 09:02:26 UTC 
This should be fixed already.
Comment 5 Juan Antonio Osorio 2016-10-23 09:04:31 UTC 
wait, nevermind, I'll take a look.
Comment 14 Martin Lopes 2017-11-02 00:25:04 UTC 
Working on release notes entry.
Comment 15 Martin Lopes 2017-11-06 05:47:08 UTC 
added 1321179 to release notes:

osp11 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/11/html-single/release_notes/

osp10 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/release_notes/

osp9 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/9/html-single/release_notes/

osp8 - https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/8/html-single/release_notes/

osp7 - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_openstack_platform/7/html-single/release_notes/
Comment 16 Martin Lopes 2017-11-06 05:57:00 UTC 
Discussed with Ozz, closing bug.
Note You need to log in before you can comment on or make changes to this bug.