+++ This bug was initially created as a clone of Bug #1464240 +++ Description of problem: Use of the openshift_cert_expiry role breaks on certificates with very large (more than 8 content (non-0x00) bytes) serial numbers. Typical certificates which would fall under this category are those issued by the main Trust Authorities (ex: DigiCert), as they will have issued very many certificates. Version-Release number of selected component (if applicable): OCP 3.2+ (earliest branch which contains the openshift_cert_expiry role) How reproducible: Can be reproduced on any certificate with a very large serial number, such as those issued by commercial Trust Authorities. Steps to Reproduce: 1. Install a commercially purchased certificate on your master as it's certificate authority certificate 2. Run the openshift_cert_expiry role against your cluster Actual results: Traceback (most recent call last): File "./cert-test.py", line 8, in <module> certobj = FakeOpenSSLCertificate(open(cert).read()) File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 100, in __init__ self._parse_cert() File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 121, in _parse_cert self.serial = int(l.split()[-2]) ValueError: invalid literal for int() with base 10: 'Serial' Expected results: The expiry role runs fine and generates a report in your desired format(s). Additional info: The cert_expiry role uses a custom cert parser on systems lacking the OpenSSL python library. Typically these are Atomic Host systems, but may not always be. The format of the serial when it exceeds the default decimal-format output limits is BER/DER encoding. For example: Serial Number: 0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:bf Python does not have a built in ASN.1 parsing library so decoding of the DER value will have to be added in manually. The current best idea I have for this is to vendor/copy the popular python-asn1 library --- Additional comment from Tim Bielawa on 2017-06-22 14:51:59 EDT --- This bug will not be hit by all customers. Those most likely to run into this will be those using commercially purchased certificates on their master to issue certificates to other OCP components. Customers using the certificate redeploy role, who are also using commercial certificates are also more likely to run into this issue as the certificate redeploy role uses functionality from the cert expiration checking role to optimize/verify certificate redeploys. --- Additional comment from Tim Bielawa on 2017-06-22 14:54:19 EDT --- Referenced asn.1 library: https://pypi.python.org/pypi/asn1/2.1.0 --- Additional comment from Tim Bielawa on 2017-06-23 11:17:23 EDT --- Update, this is easier than anticipated. The serial is actually printing in HEX format. I have a PR almost ready to go for this. --- Additional comment from Tim Bielawa on 2017-06-23 11:29:50 EDT --- PR for master branch. Backports will follow shortly. https://github.com/openshift/openshift-ansible/pull/4573
https://github.com/openshift/openshift-ansible/issues/4575
Verify this bug with openshift-ansible-3.3.102-1.git.0.7983529.el7 Generate a custom router cert issued by a self-signed CA cert, and the router cert should have a large serial number like: [cucushift@dhcp-129-188 files]$ openssl x509 -in m01.example.com.crt -text .. Serial Number: 0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:c2 Install a containerized ocp-3.3 cluster on Atomic Host, set local router certificate used in ansible inventory file openshift_hosted_router_certificate={"certfile": "/files/m01.example.com.crt", "keyfile": "/files/m01.example.com.key", "cafile": "/files/rootCA.pem"} After installation finished, run certificate expiry checker easy-mode playbook ansible-playbook -i host_file /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml The playbook works well without error.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1666