During upgrade, engine's certificates may not extended by the subjectAltName during the execution of engine-setup. So latest Chrome (> 58.0.3029) still refuses to accept engine's certificate since subjectAltName is missing even after upgrade. The upgrade is not handled by the changes related to bug #1449084. +++ This bug was initially created as a clone of Bug #1449084 +++ Description of problem: Latest Chrome (> 58.0.3029) refuses to accept engine's certificate since subjectAltName is missing. Error displayed in browser: "This server could not prove that it is ...; its security certificate is from [missing_subjectAltName]." Version-Release number of selected component (if applicable): 4.1 How reproducible: 100% Steps to Reproduce: 1. Import certificate in Chrome from: http://<engine_url>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA 2. Navigate to the WebAdmin Additional info: * The issue blocks upload image feature, as we require a secured connection for uploading from the browser. * A suggested fix is already available at: https://gerrit.ovirt.org/#/c/74614/ --- Additional comment from Red Hat Bugzilla Rules Engine on 2017-05-09 04:21:15 EDT --- Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. --- Additional comment from Yedidyah Bar David on 2017-05-10 02:45:50 EDT --- There seems to be a workaround for Chrome, for the time being: https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors See also: https://www.chromium.org/administrators/linux-quick-start Didn't try it myself. --- Additional comment from Dominik Holler on 2017-05-10 10:49:52 EDT --- The two changes 76656 and 74614 ensures that following certificates are generated with the subjectAltName is set: engine name=jboss name=websocket-proxy name=apache name=reports name=imageio-proxy name=ovn-ndb name=ovn-sdb name=ovirt-provider-ovn but NOT vmconsole-proxy-helper vmconsole-proxy-user vmconsole-proxy-host . If the vmconsole certificates requires the subjectAltName, further action is required. No renew of the certificates is enforced during an upgrade. The certificate file in file system could resigned and this way extended by subjectAltName by: share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME but I do not know how engine could be forced to use the new file. --- Additional comment from Sandro Bonazzola on 2017-05-10 11:36:35 EDT --- (In reply to Dominik Holler from comment #3) > No renew of the certificates is enforced during an upgrade. > > The certificate file in file system could resigned and this way extended by > subjectAltName by: > share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss > --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME > but I do not know how engine could be forced to use the new file. didi any insight on this? --- Additional comment from Yedidyah Bar David on 2017-05-11 09:45:05 EDT --- (In reply to Sandro Bonazzola from comment #4) > (In reply to Dominik Holler from comment #3) > > > No renew of the certificates is enforced during an upgrade. > > > > The certificate file in file system could resigned and this way extended by > > subjectAltName by: > > share/ovirt-engine/bin/pki-enroll-request.sh --name=jboss > > --subject=/C=US/O=Test/CN=$HOSTNAME --days=356 --san=DNS:$HOSTNAME > > but I do not know how engine could be forced to use the new file. > > didi any insight on this? I suggest to use pki-enroll-pkcs12.sh and not pki-enroll-request.sh - latter is designed to enroll an existing request. It will work, because we do not remove the requests, but since nothing ever uses them and we do not track them, perhaps better recreate. Tried this and it seems to work: name=apache subject="$(openssl x509 -in /etc/pki/ovirt-engine/certs/"${name}".cer -noout -subject | sed 's;subject= \(.*\);\1;')" . /usr/share/ovirt-engine/bin/engine-prolog.sh /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name="${name}" --password=mypass --subject="${subject}" --keep-key --san=DNS:"${ENGINE_FQDN}" systemctl restart httpd Verified that firefox sees the subject alt name, didn't try with chrome. --- Additional comment from Yedidyah Bar David on 2017-05-11 09:45:53 EDT --- Also, it might make sense to have SAN default to the CN part of subject, so that user does not have to pass it. Perhaps we need another bug for this. --- Additional comment from Sandro Bonazzola on 2017-05-12 03:29:27 EDT --- (In reply to Yedidyah Bar David from comment #6) > Also, it might make sense to have SAN default to the CN part of subject, so > that user does not have to pass it. Perhaps we need another bug for this. Please open one
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
ok, rhevm-4.1.4.1-0.1.el7.noarch ~~~ # openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -text -noout | grep -A 1 'Subject Alternative Name' # engine-setup --== PKI CONFIGURATION ==-- One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers. If you choose "No", you will be asked again the next time you run Setup. See https://access.redhat.com/solutions/1572983 for more details. Renew certificates? (Yes, No) [No]: Yes ... [ INFO ] Upgrading CA ... [ INFO ] Restarting httpd Web access is enabled at: ... Internal CA 8C:2E:3A:81:7B:FD:F1:A8:95:74:4F:E5:32:5E:8C:6D:EA:CB:CA:FD ... [ INFO ] Execution of setup completed successfully # openssl x509 -in /etc/pki/ovirt-engine/certs/apache.cer -text -noout | grep -A 1 'Subject Alternative Name' X509v3 Subject Alternative Name: DNS:jbelka-vm4.example.com ~~~ tested with gChrome 59.0.3071.115