1439242 – Console should send the full chain of the certificates

Bug 1439242 - Console should send the full chain of the certificates

Summary: Console should send the full chain of the certificates

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Jordan Liggitt
QA Contact:	Chuan Yu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-05 13:39 UTC by Vadim Rutkovsky
Modified:	2017-04-05 14:12 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-05 14:12:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Vadim Rutkovsky 2017-04-05 13:39:22 UTC

Description of problem:
Openshift console sends only one cert on connection, assuming the user has the same CA file as the one used in openshift-ansible's "cafile" param of "openshift_master_named_certificates" variable

Version-Release number of selected component (if applicable):
3.4.0

How reproducible:
Always

Steps to Reproduce:
1. Prepare a root_ca.crt and full_chain.crt
2. Setup openshift via openshift-ansible having:

openshift_master_named_certificates:
- certfile: "server.crt"
  keyfile: "server.key"
  cafile: "full_chain.crt"

3. Run "openssl s_client -connect console.example.com:8443 -CAfile root_ca.crt"

Actual results:
Command fails with 'unable to verify the first certificate'

Expected results:
Command passes with 'ok'

Additional info:
If a full_chain.crt is used openssl command works fine

Comment 3 Jordan Liggitt 2017-04-05 13:55:52 UTC

the intermediate chain has to be included in the server cert. the CA file should just contain the roots.

Note You need to log in before you can comment on or make changes to this bug.