1446046 – glusterd: TLS verification fails when using intermediate CA instead of self-signed certificates

Bug 1446046 - glusterd: TLS verification fails when using intermediate CA instead of self-signed certificates

Summary: glusterd: TLS verification fails when using intermediate CA instead of self-s...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	core
Sub Component:
Version:	rhgs-3.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	RHGS 3.4.0
Assignee:	Mohit Agrawal
QA Contact:	Bala Konda Reddy M
Docs Contact:
URL:
Whiteboard:	ssl
Depends On:	1555154
Blocks:	1503134
TreeView+	depends on / blocked

Reported:	2017-04-27 07:05 UTC by Siddharth Sharma
Modified:	2023-09-14 03:57 UTC (History)
CC List:	13 users (show)
Fixed In Version:	glusterfs-3.12.2-7
Doc Type:	If docs needed, set a value
Doc Text:	Earlier to configure ssl-cert-depth option parameter needs to set in /etc/glusterfs/glusterd.vol but after apply the patch parameter (transport.socket.ssl-cert-depth) needs to be set in /var/lib/glusterd/secure-access. This parameter is useful only while management Secure Sockets Layer is enabled.
Clone Of:
Clones:	1555154 (view as bug list)
Environment:
Last Closed:	2018-09-04 06:32:03 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2607	0	None	None	None	2018-09-04 06:33:46 UTC

Comment 25 Bala Konda Reddy M 2018-08-23 15:04:49 UTC

Build: 3.12.2-16

1. On a three glusterd nodes stopped the glusterd
2. Added the root ca and intermediate ca to glusterfs.ca to /etc/ssl/glusterfs.ca
3. copied root ca, ~]# rca.crt /etc/pki/ca-trust/source/anchors on all the gluster nodes
4. Updated the certs ~]# update-ca-trust
5. Created secure-access file in /var/lib/glusterd/secure-access and added the "option transport.socket.ssl-cert-depth 2"
6. Started glusterd.
7. Performed peer probe, created volume, started and mounted ran iozone.
8. Tried to mounted on non-ssl nodes, it failed as expected
9. Tried to peer probe to non-ssl nodes, it failed as expected

Hence moving to verified

Comment 27 errata-xmlrpc 2018-09-04 06:32:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2607

Comment 28 Red Hat Bugzilla 2023-09-14 03:57:04 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.