Bug 1328809 - [Intservice_public_226] Preflight check failed when hostnames contain * in custom cert
Summary: [Intservice_public_226] Preflight check failed when hostnames contain * in cu...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Hawkular
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: Matt Wringe
QA Contact: chunchen
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-20 10:32 UTC by Xia Zhao
Modified: 2018-07-26 19:09 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-19 13:49:38 UTC
Target Upstream Version:

Attachments (Terms of Use)
preflight_logs (4.62 KB, text/plain)
2016-04-20 10:48 UTC, Xia Zhao 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Xia Zhao 2016-04-20 10:32:13 UTC 
Problem description: 
Preflight check failed when hostnames contain * in custom cert

Version-Release number of selected component (if applicable):
Images built from upstream https://github.com/openshift/origin-metrics

How reproducible:
Always

Steps to Reproduce:
1. Login openshift master, create valid custom cert with * specified in hostnames
openshift admin ca create-server-cert --key=c.key --cert=c.crt --hostnames='*.router.default.svc.cluster.local,hawkular-metrics' --signer-cert=/etc/origin/master/ca.crt --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt
cat c.crt c.key /etc/origin/master/ca.crt > hm_c.pem
cp /etc/origin/master/ca.crt hm-ca_c.cert
2. Create the new project and deploy metrics with MODE=preflight:
oc new-project metrics
oc secrets new metrics-deployer hawkular-metrics.pem=hm_c.pem hawkular-metrics-ca.cert=hm-ca_c.cert
oc create -f https://raw.githubusercontent.com/openshift/origin-metrics/master/metrics-deployer-setup.yaml
#run on master:
oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:metrics:heapster
oc policy add-role-to-user edit system:serviceaccount:metrics:metrics-deployer
oc process openshift//metrics-deployer-template -v HAWKULAR_METRICS_HOSTNAME=hawkular-metrics.router.default.svc.cluster.local,IMAGE_PREFIX=openshift/origin-,IMAGE_VERSION=latest,USE_PERSISTENT_STORAGE=false,MASTER_URL=https://{master-domain}:8443,CASSANDRA_PV_SIZE=5Gi,MODE=preflight |oc create -f -

Actual Result:
Preflight failed by the below error message:
PREFLIGHT CHECK FAILED
========================
validate_deployer_secret:
The supplied hawkular-metrics.pem certificate is required to contain the following name(s) in the Subject Alternative Name field:
hawkular-metrics.router.default.svc.cluster.local hawkular-metrics
Instead the certificate has:
            X509v3 Subject Alternative Name:
                DNS:*.router.default.svc.cluster.local
Please supply a correct certificate or omit it to allow the deployer to generate it.
PREFLIGHT CHECK FAILED

Expected Result:
Preflight should succeed since the custom cert is valid

Additional info:
Preflight check succeeded when --hostnames='hawkular-metrics.router.default.svc.cluster.local' in custom cert
Comment 1 Xia Zhao 2016-04-20 10:37:41 UTC 
To address more I tried with multiple DNS in cert: "--hostnames='*.router.default.svc.cluster.local,hawkular-metrics' ", and the preflight check failed again. Here is the output:  http://pastebin.test.redhat.com/367211.
Comment 2 Xia Zhao 2016-04-20 10:48:47 UTC 
Created attachment 1149035 [details]
preflight_logs
Comment 3 Matt Wringe 2016-04-20 13:09:42 UTC 
A work around for this is to specify that we want to skip the preflight checks, you can do this by setting the IGNORE_PREFLIGHT template parameter to false.

We will update our preflight checks to consider these situations.
Comment 4 Matt Wringe 2016-08-12 20:18:45 UTC 
Oops, this has been fixed for a while now. Setting this to ON_QA
Note You need to log in before you can comment on or make changes to this bug.