1379841 – Named certificates with SANs cause duplicate name entries when cafile is specified

Bug 1379841 - Named certificates with SANs cause duplicate name entries when cafile is specified

Summary: Named certificates with SANs cause duplicate name entries when cafile is spec...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Andrew Butcher
QA Contact:	Wenkai Shi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1379844
TreeView+	depends on / blocked

Reported:	2016-09-27 20:21 UTC by Andrew Butcher
Modified:	2017-03-08 18:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, named certificates which had matching hostnames in CN and subjectAlternativeNames certificate entries would cause duplicate hostnames to be detected and configured in /etc/origin/master/master-config.yaml. This would cause an error and prevent the master from starting. Duplicate hostnames are now correctly removed from detected certificate names.
Clone Of:
Clones:	1379844 (view as bug list)
Environment:
Last Closed:	2016-10-03 14:53:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1983	0	normal	SHIPPED_LIVE	OpenShift Container Platform 3.3 atomic-openshift-utils bug fix update	2016-10-03 18:51:38 UTC

Description Andrew Butcher 2016-09-27 20:21:03 UTC

Description of problem:

Certificates configured as named certificates which have matching hostnames in CN and subjectAlternativeNames fields will cause duplicate names entries to be configured in /etc/origin/master/master-config.yaml when a "cafile" is specified.

Ansible output:
TASK [openshift_master : Start and enable master] ******************************
fatal: [master4.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service atomic-openshift-master: Job for atomic-openshift-master.service failed because the control process exited with error code. See \"systemctl status atomic-openshift-master.se}

Master config section with duplicate names:
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.crt
    keyFile: /etc/origin/master/named_certificates/master.flibberty-jibbet.com.key
    names:
    - "master.flibberty-jibbet.com"
    - "master.flibberty-jibbet.com"
    - "internal-master.flibberty-jibbet.com"

Journal entry from failed master service:
servingInfo.namedCertificates[0].names[1]: Invalid value: "master.flibberty-jibbet.com": this name is already used in another named certificate


Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-docs-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-roles-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-filter-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-lookup-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch
openshift-ansible-playbooks-3.2.28-1.git.0.5a85fc5.el7.noarch


How reproducible:
Always.


Steps to Reproduce:
1. Create CA and certificates with hostname (eg. master.flibberty-jibbet.com) set as CN and within subjectAlternativeNames.

san.cnf contents:

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = North Carolina
localityName = Locality Name (eg, city)
localityName_default = Raleigh
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = master.flibberty-jibbet.com
commonName_max        = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = master.flibberty-jibbet.com
DNS.2 = internal-master.flibberty-jibbet.com

commands used to create certificates (be sure to set CN=master.flibberty-jibbet.com):

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 1024 -subj '/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=OpenShift/CN=flibberty-jibbet.com/emailAddress=none/' -out ca.crt
openssl genrsa -out master.flibberty-jibbet.com.key 2048
openssl req -new -out master.flibberty-jibbet.com.csr -key master.flibberty-jibbet.com.key -config san.cnf 
openssl x509 -req -days 3650 -in master.flibberty-jibbet.com.csr -signkey master.flibberty-jibbet.com.key -out master.flibberty-jibbet.com.crt -extensions v3_req -extfile san.cnf

2. Configure host inventory with openshift_master_named_certificates containing certificate, key and CA files.

openshift_master_named_certificates=[{"certfile": "/root/master.flibberty-jibbet.com.crt", "keyfile": "/root/master.flibberty-jibbet.com.key", "cafile": "/root/ca.crt"}]

3. Run openshift-ansible.


Actual results:
Master is unable to start because duplicate names are configured in namedCertificates config section.


Expected results:
Master starts normally (because the list of detected certificate names has been deduped).


Additional info:
Workaround is to set the "names" key in the openshift_master_named_certificate dictionary which will cause openshift-ansible to _not_ detect names in configured certificates. Note that openshift_master_overwrite_named_certificates=true must also be set in order to remove older named certificate config sections.

Comment 1 Scott Dodson 2016-09-27 20:23:54 UTC

Fixed in master then picked into release-1.3 https://github.com/openshift/openshift-ansible/pull/2510

Comment 3 Wenkai Shi 2016-09-29 11:19:29 UTC

Verify this bug with openshift-ansible-3.3.28.1.git.0.762256b.el7

Prepare named certificates as required:
ca.crt  master.example.com.crt  master.example.com.key

result is listed here:

[root@local-vm ~]#  openssl x509 -in master.example.com.crt -text
Certificate:
...
        Subject: C=US, ST=North Carolina, L=Raleigh, OU=OpenShift, CN=master.example.com
...
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:master.example.com, DNS:internal-master.example.com
...

[root@master ~]# cat /etc/origin/master/master-config.yaml
...
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master.example.com.crt
    keyFile: /etc/origin/master/named_certificates/master.example.com.key
    names:
    - "internal-master.example.com"
    - "master.example.com"
...

Comment 5 errata-xmlrpc 2016-10-03 14:53:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1983

Note You need to log in before you can comment on or make changes to this bug.