Description of problem: Latest Chrome (> 58.0.3029) refuses to accept engine's certificate since subjectAltName is missing. Error displayed in browser: "This server could not prove that it is ...; its security certificate is from [missing_subjectAltName]." Version-Release number of selected component (if applicable): 4.1 How reproducible: 100% Steps to Reproduce: 1. Import certificate in Chrome from: http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA 2. Navigate to the WebAdmin Additional info: * The issue blocks upload image feature, as we require a secured connection for uploading from the browser. * A suggested fix is already available at: https://gerrit.ovirt.org/#/c/74614/
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
There seems to be a workaround for Chrome, for the time being: https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors See also: https://www.chromium.org/administrators/linux-quick-start Didn't try it myself.
The two changes 76656 and 74614 ensures that following certificates are generated with the subjectAltName is set: engine name=jboss name=websocket-proxy name=apache name=reports name=imageio-proxy name=ovn-ndb name=ovn-sdb name=ovirt-provider-ovn but NOT vmconsole-proxy-helper vmconsole-proxy-user vmconsole-proxy-host . If the vmconsole certificates requires the subjectAltName, further action is required. No renew of the certificates is enforced during an upgrade. The certificate file in file system could resigned and this way extended by subjectAltName by: share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME but I do not know how engine could be forced to use the new file.
(In reply to Dominik Holler from comment #3) > No renew of the certificates is enforced during an upgrade. > > The certificate file in file system could resigned and this way extended by > subjectAltName by: > share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss > --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME > but I do not know how engine could be forced to use the new file. didi any insight on this?
(In reply to Sandro Bonazzola from comment #4) > (In reply to Dominik Holler from comment #3) > > > No renew of the certificates is enforced during an upgrade. > > > > The certificate file in file system could resigned and this way extended by > > subjectAltName by: > > share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss > > --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME > > but I do not know how engine could be forced to use the new file. > > didi any insight on this? I suggest to use pki-enroll-pkcs12.sh and not pki-enroll-request.sh - latter is designed to enroll an existing request. It will work, because we do not remove the requests, but since nothing ever uses them and we do not track them, perhaps better recreate. Tried this and it seems to work: name=apache subject="$(openssl x509 -in /etc/pki/ovirt-engine/certs/"${name}".cer -noout -subject | sed 's;subject= \(.*\);\1;')" . /usr/share/ovirt-engine/bin/engine-prolog.sh /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="${name}" --password=mypass --subject="${subject}" --keep-key --san=DNS:"${ENGINE_FQDN}" systemctl restart httpd Verified that firefox sees the subject alt name, didn't try with chrome.
Also, it might make sense to have SAN default to the CN part of subject, so that user does not have to pass it. Perhaps we need another bug for this.
(In reply to Yedidyah Bar David from comment #6) > Also, it might make sense to have SAN default to the CN part of subject, so > that user does not have to pass it. Perhaps we need another bug for this. Please open one
INFO: Bug status wasn't changed from MODIFIED to ON_QA due to the following reason: [Tag 'ovirt-engine-4.1.2' doesn't contain patch 'https://gerrit.ovirt.org/76656'] gitweb: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/ovirt-engine-4.1.2 For more info please contact: infra
(In reply to rhev-integ from comment #8) > INFO: Bug status wasn't changed from MODIFIED to ON_QA due to the following > reason: > > [Tag 'ovirt-engine-4.1.2' doesn't contain patch Wrong tag, please re-run on ovirt-engine-4.1.2.2 > 'https://gerrit.ovirt.org/76656'] > gitweb: > https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/ > ovirt-engine-4.1.2 > > For more info please contact: infra
Moving to ON_QA as the patch for this bug is included into ovirt-engine-4.1.2.2 tag from which the engine was built.
(In reply to Sandro Bonazzola from comment #7) > (In reply to Yedidyah Bar David from comment #6) > > Also, it might make sense to have SAN default to the CN part of subject, so > > that user does not have to pass it. Perhaps we need another bug for this. > > Please open one Done, bug 1450629.
ok, tested with google-chrome-stable-58.0.3029.110-1.x86_64 (no info about missing_subjectAltName). # openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -text -noout | grep -A 1 'Subject Alternative Name' X509v3 Subject Alternative Name: DNS:jbelka-vm1.rhev.lab.eng.brq.redhat.com [root@jbelka-vm1 ~]# rpm -q ovirt-engine ovirt-engine-4.1.2.2-0.1.el7.noarch
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days