Bug 1459092 - External Logging SSO failing SSL certificate verification
Summary: External Logging SSO failing SSL certificate verification
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.9.0
Assignee: Erez Freiberger
QA Contact: Shalom Naim
URL:
Whiteboard: container
Depends On:
Blocks: 1461616
TreeView+ depends on / blocked
 
Reported: 2017-06-06 09:24 UTC by Federico Simoncelli
Modified: 2018-07-15 09:48 UTC (History)
8 users (show)

Fixed In Version: 5.9.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-06 15:54:28 UTC
Category: ---
Cloudforms Team: Container Management
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
adding the provider with ssl validation (2.33 MB, application/octet-stream)
2017-12-04 14:51 UTC, Shalom Naim
no flags Details

Description Federico Simoncelli 2017-06-06 09:24:34 UTC
Description of problem:
External Logging SSO is failing the certificate verification.

Version-Release number of selected component (if applicable):
manageiq @b28dea8
manageiq-providers-kubernetes @4ea2250

How reproducible:
100%

Steps to Reproduce:
1. Add an OpenShift provider (with logging-ops support) with SSL-verification and custom CA
2. Click on Monitoring => External Logging

Actual results:
You are not redirected to Kibana with SSO and you get the message:

  Cannot validate certificate to 'kibana-ops.10.35.48.50.nip.io. Make sure that you use a certificate signed by the root Openshift Cert.error message: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Expected results:
You should be redirected to Kibana with SSO and SSL-verified connection.


Additional info:
Not sure if there are implications in other components as openshift-ansible for the logging deployment.

Comment 2 Erez Freiberger 2017-06-12 08:40:26 UTC
I have installed openshift-enterprise with the same ansible version (openshift-ansible-3.5.72-1) but couldn't reproduce this. I am begin logged in and getting the "no permissions ..." error message from https://bugzilla.redhat.com/show_bug.cgi?id=1454867

Comment 3 Federico Simoncelli 2017-07-06 12:32:38 UTC
It seems that this fixed it:

  openshift_hosted_router_create_certificate=true

Is that documented anywhere? How come we didn't remember that it's critical for this feature?
It's even off by default.

Comment 4 Erez Freiberger 2017-07-06 12:52:06 UTC
Yes, I am sorry for not identifying this sooner. It was introduced in https://github.com/openshift/openshift-ansible/pull/3821 which helps us because ManageIQ needs to identify the router's certificate first.

Where should this be documented?

Comment 5 Federico Simoncelli 2017-07-07 12:55:55 UTC
(In reply to Erez Freiberger from comment #4)
> Where should this be documented?

Let's try to get it enabled by default first (and fallback to documentation if that can't be done).

Comment 6 Erez Freiberger 2017-07-07 22:56:13 UTC
I opened a PR for that: https://github.com/openshift/openshift-ansible/pull/4693

Comment 8 Shalom Naim 2017-12-04 14:51:34 UTC
Created attachment 1362707 [details]
adding the provider with ssl validation

Comment 9 Shalom Naim 2017-12-04 14:54:21 UTC
I added an OCP 3.6 with SSL validation (see the attachment) and I tried to navigate to external logging but I got an error message

I also verified that logging is up and running (as you can see below) and verified that logging works without validation

[root@snaim-ocp-3-6-master ~]# oc get pods --all-namespaces 
NAMESPACE         NAME                                           READY     STATUS    RESTARTS   AGE
default           docker-registry-1-n2hr7                        1/1       Running   0          5d
default           registry-console-1-6tlwz                       1/1       Running   0          5d
default           router-1-ctrnt                                 1/1       Running   0          5d
logging           logging-curator-1-qxhck                        1/1       Running   0          5d
logging           logging-curator-ops-1-06s1b                    1/1       Running   0          18s
logging           logging-es-data-master-1zlpxbqs-1-d4wpf        1/1       Running   0          5d
logging           logging-es-ops-data-master-2yp9mp9e-1-deploy   0/1       Error     0          5d
logging           logging-fluentd-65vhh                          1/1       Running   0          5d
logging           logging-fluentd-j7z3s                          1/1       Running   0          5d
logging           logging-fluentd-q8g7b                          1/1       Running   0          5d
logging           logging-kibana-1-zl1fk                         2/2       Running   0          5d
logging           logging-kibana-ops-1-sshs3                     2/2       Running   0          5d
openshift-infra   hawkular-cassandra-1-j8lsm                     1/1       Running   0          5d
openshift-infra   hawkular-metrics-188rp                         1/1       Running   0          5d
openshift-infra   heapster-l4xxc                                 1/1       Running   0          5d

Comment 10 Erez Freiberger 2017-12-04 15:28:01 UTC
This seems like an installation problem, the certificate for the route is not signing it correctly (subject=/CN=router.default.svc)

We should take a look at the ansible as this should have been fixed in the 3.6 version of the installer with this backport https://github.com/openshift/openshift-ansible/pull/5042

Comment 11 Shalom Naim 2017-12-04 17:01:35 UTC
After debugging my OCP system we found that wrong parameter set in the installation inventory.

After reinstalling the system, the issue was verified successfully.


Note You need to log in before you can comment on or make changes to this bug.