1382824 – SSL update not working

Bug 1382824 - SSL update not working

Summary: SSL update not working

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Online
Classification:	Red Hat
Component:	Routing
Sub Component:
Version:	2.x
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Rory Thrasher
QA Contact:	zhaozhanqi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-07 20:16 UTC by Jack
Modified:	2016-10-10 20:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-10-10 20:30:41 UTC
Target Upstream Version:

Attachments	(Terms of Use)
combined.pem file (7.13 KB, text/x-vhdl) 2016-10-07 22:46 UTC, Jack	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Jack 2016-10-07 20:16:09 UTC

Description of problem:
Trying to update SSL certificate and while it claims success I still get errors when trying to enter the site http://truthmapping.com
The site is blocked.


Version-Release number of selected component (if applicable):


How reproducible:
Very


Steps to Reproduce:
1. Got cert info from SSL.com

2. Concatenated all cert files in order specified by ssl.com:
cat truthmapping_com.crt SSLcomDVCA_2.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt > combined.pem

3. Installed as instructed:
rhc alias update-cert live truthmapping.com --certificate combined.pem --private-key truthmapping.com.key --passphrase PHRASE

Got this result: SSL certificate successfully added.

4. rhc app restart live

5. Still claims site has expired:
http://www.ssltools.com/?url=www.truthmapping.com

Please see this bug for very similar issues that this same site had 2 years ago:
https://bugzilla.redhat.com/show_bug.cgi?id=1149901



Expected results:


Additional info:

Comment 1 Jack 2016-10-07 21:50:31 UTC


Spoke with SSL.com and they said that my apache is referencing the old SSL certificate and that the apache httpd.conf file needs modified to point to the new certificate.  Do I need to do that in some way?

Comment 2 Rory Thrasher 2016-10-07 22:43:18 UTC

Hi Jack,

I'm going to get operations to look at your account and see if theres anything in the logs that points to a false success from rhc.  The `rhc alias update-cert` command you used looks correct and should update to use the new cert.

Can you upload your combined.pem so I can make sure it is valid?

Comment 3 Jack 2016-10-07 22:46:38 UTC

Created attachment 1208271 [details]
combined.pem file

Attaching pem file as Rory requested.

Comment 4 Jack 2016-10-07 22:47:28 UTC

Rory, what about Comment 2? 
https://bugzilla.redhat.com/show_bug.cgi?id=1382824#c2

Comment 5 Jack 2016-10-07 22:48:38 UTC

Sorry, meant what about Comment 1?

Comment 6 Rory Thrasher 2016-10-07 23:28:21 UTC

For Comment 1, that should be taken care of by rhc.

I think you're adding some certs that shouldn't be in the intermediate chain when you are creating combined.pem.

Can you try `cat truthmapping_com.crt SSLcomDVCA_2.crt > combined.pem` and then using rhc to update using that file?

Comment 7 Jack 2016-10-08 00:16:39 UTC

Tried just the two .crts in the pem file, installed (claimed success), restarted and no change in the result.

Comment 8 Jack 2016-10-10 15:34:16 UTC

Other thoughts?  The site currently has an expired certificate.  Thanks.

Comment 9 Andy Grimm 2016-10-10 17:12:47 UTC

It looks like you updated the certificate for truthmapping.com, but not www.truthmapping.com -- the url having the problem is the latter.

Comment 10 Jack 2016-10-10 19:54:07 UTC

Adding the www. is all that it needed.  Thanks!

Comment 11 Rory Thrasher 2016-10-10 20:30:41 UTC

Glad to hear its working!  I'm going to go ahead and close this bug - please feel free to reopen it if need be.

Note You need to log in before you can comment on or make changes to this bug.