Bug 1459092 - External Logging SSO failing SSL certificate verification
External Logging SSO failing SSL certificate verification
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers (Show other bugs)
Unspecified Unspecified
high Severity high
: GA
: 5.9.0
Assigned To: Erez Freiberger
Shalom Naim
: TestOnly
Depends On:
Blocks: 1461616
  Show dependency treegraph
Reported: 2017-06-06 05:24 EDT by Federico Simoncelli
Modified: 2018-04-09 04:45 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-03-06 10:54:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management

Attachments (Terms of Use)
adding the provider with ssl validation (2.33 MB, application/octet-stream)
2017-12-04 09:51 EST, Shalom Naim
no flags Details

  None (edit)
Description Federico Simoncelli 2017-06-06 05:24:34 EDT
Description of problem:
External Logging SSO is failing the certificate verification.

Version-Release number of selected component (if applicable):
manageiq @b28dea8
manageiq-providers-kubernetes @4ea2250

How reproducible:

Steps to Reproduce:
1. Add an OpenShift provider (with logging-ops support) with SSL-verification and custom CA
2. Click on Monitoring => External Logging

Actual results:
You are not redirected to Kibana with SSO and you get the message:

  Cannot validate certificate to 'kibana-ops. Make sure that you use a certificate signed by the root Openshift Cert.error message: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Expected results:
You should be redirected to Kibana with SSO and SSL-verified connection.

Additional info:
Not sure if there are implications in other components as openshift-ansible for the logging deployment.
Comment 2 Erez Freiberger 2017-06-12 04:40:26 EDT
I have installed openshift-enterprise with the same ansible version (openshift-ansible-3.5.72-1) but couldn't reproduce this. I am begin logged in and getting the "no permissions ..." error message from https://bugzilla.redhat.com/show_bug.cgi?id=1454867
Comment 3 Federico Simoncelli 2017-07-06 08:32:38 EDT
It seems that this fixed it:


Is that documented anywhere? How come we didn't remember that it's critical for this feature?
It's even off by default.
Comment 4 Erez Freiberger 2017-07-06 08:52:06 EDT
Yes, I am sorry for not identifying this sooner. It was introduced in https://github.com/openshift/openshift-ansible/pull/3821 which helps us because ManageIQ needs to identify the router's certificate first.

Where should this be documented?
Comment 5 Federico Simoncelli 2017-07-07 08:55:55 EDT
(In reply to Erez Freiberger from comment #4)
> Where should this be documented?

Let's try to get it enabled by default first (and fallback to documentation if that can't be done).
Comment 6 Erez Freiberger 2017-07-07 18:56:13 EDT
I opened a PR for that: https://github.com/openshift/openshift-ansible/pull/4693
Comment 8 Shalom Naim 2017-12-04 09:51 EST
Created attachment 1362707 [details]
adding the provider with ssl validation
Comment 9 Shalom Naim 2017-12-04 09:54:21 EST
I added an OCP 3.6 with SSL validation (see the attachment) and I tried to navigate to external logging but I got an error message

I also verified that logging is up and running (as you can see below) and verified that logging works without validation

[root@snaim-ocp-3-6-master ~]# oc get pods --all-namespaces 
NAMESPACE         NAME                                           READY     STATUS    RESTARTS   AGE
default           docker-registry-1-n2hr7                        1/1       Running   0          5d
default           registry-console-1-6tlwz                       1/1       Running   0          5d
default           router-1-ctrnt                                 1/1       Running   0          5d
logging           logging-curator-1-qxhck                        1/1       Running   0          5d
logging           logging-curator-ops-1-06s1b                    1/1       Running   0          18s
logging           logging-es-data-master-1zlpxbqs-1-d4wpf        1/1       Running   0          5d
logging           logging-es-ops-data-master-2yp9mp9e-1-deploy   0/1       Error     0          5d
logging           logging-fluentd-65vhh                          1/1       Running   0          5d
logging           logging-fluentd-j7z3s                          1/1       Running   0          5d
logging           logging-fluentd-q8g7b                          1/1       Running   0          5d
logging           logging-kibana-1-zl1fk                         2/2       Running   0          5d
logging           logging-kibana-ops-1-sshs3                     2/2       Running   0          5d
openshift-infra   hawkular-cassandra-1-j8lsm                     1/1       Running   0          5d
openshift-infra   hawkular-metrics-188rp                         1/1       Running   0          5d
openshift-infra   heapster-l4xxc                                 1/1       Running   0          5d
Comment 10 Erez Freiberger 2017-12-04 10:28:01 EST
This seems like an installation problem, the certificate for the route is not signing it correctly (subject=/CN=router.default.svc)

We should take a look at the ansible as this should have been fixed in the 3.6 version of the installer with this backport https://github.com/openshift/openshift-ansible/pull/5042
Comment 11 Shalom Naim 2017-12-04 12:01:35 EST
After debugging my OCP system we found that wrong parameter set in the installation inventory.

After reinstalling the system, the issue was verified successfully.

Note You need to log in before you can comment on or make changes to this bug.