Bug 1464545 - [3.3] openshift_cert_expiry Can not parse certs with DER encoded Serial Numbers
Summary: [3.3] openshift_cert_expiry Can not parse certs with DER encoded Serial Numbers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.3.1
Assignee: Tim Bielawa
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On: 1464240 1464546
Blocks: 1464543 1464544
TreeView+ depends on / blocked
 
Reported: 2017-06-23 17:58 UTC by Scott Dodson
Modified: 2017-06-29 13:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Hosts missing OpenSSL python library. Consequence: Large Serial numbers could not be parsed using the existing manual parser work-around for missing OpenSSL libs. Fix: Manual parser updated to account for format of certificates with large serial numbers. Result: Certificates with large serials on hosts missing the OpenSSL python library can now be parsed (such as during cert expiration checking or certificate redeployment).
Clone Of: 1464240
Environment:
Last Closed: 2017-06-29 13:34:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1666 0 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix and enhancement 2017-06-29 17:32:39 UTC

Description Scott Dodson 2017-06-23 17:58:03 UTC 
+++ This bug was initially created as a clone of Bug #1464240 +++

Description of problem:

Use of the openshift_cert_expiry role breaks on certificates with very large (more than 8 content (non-0x00) bytes) serial numbers.

Typical certificates which would fall under this category are those issued by the main Trust Authorities (ex: DigiCert), as they will have issued very many certificates.


Version-Release number of selected component (if applicable):

OCP 3.2+ (earliest branch which contains the openshift_cert_expiry role)


How reproducible:
Can be reproduced on any certificate with a very large serial number, such as those issued by commercial Trust Authorities.


Steps to Reproduce:
1. Install a commercially purchased certificate on your master as it's certificate authority certificate
2. Run the openshift_cert_expiry role against your cluster

Actual results:

Traceback (most recent call last):
  File "./cert-test.py", line 8, in <module>
    certobj = FakeOpenSSLCertificate(open(cert).read())
  File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 100, in __init__
    self._parse_cert()
  File "openshift-ansible/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py", line 121, in _parse_cert
    self.serial = int(l.split()[-2])
ValueError: invalid literal for int() with base 10: 'Serial'

Expected results:

The expiry role runs fine and generates a report in your desired format(s).

Additional info:

The cert_expiry role uses a custom cert parser on systems lacking the OpenSSL python library. Typically these are Atomic Host systems, but may not always be.


The format of the serial when it exceeds the default decimal-format output limits is BER/DER encoding. For example:

    Serial Number:
        0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:bf

Python does not have a built in ASN.1 parsing library so decoding of the DER value will have to be added in manually. The current best idea I have for this is to vendor/copy the popular python-asn1 library

--- Additional comment from Tim Bielawa on 2017-06-22 14:51:59 EDT ---

This bug will not be hit by all customers. Those most likely to run into this will be those using commercially purchased certificates on their master to issue certificates to other OCP components.

Customers using the certificate redeploy role, who are also using commercial certificates are also more likely to run into this issue as the certificate redeploy role uses functionality from the cert expiration checking role to optimize/verify certificate redeploys.

--- Additional comment from Tim Bielawa on 2017-06-22 14:54:19 EDT ---

Referenced asn.1 library: https://pypi.python.org/pypi/asn1/2.1.0

--- Additional comment from Tim Bielawa on 2017-06-23 11:17:23 EDT ---

Update, this is easier than anticipated. The serial is actually printing in HEX format. I have a PR almost ready to go for this.

--- Additional comment from Tim Bielawa on 2017-06-23 11:29:50 EDT ---

PR for master branch. Backports will follow shortly.

https://github.com/openshift/openshift-ansible/pull/4573
Comment 1 Scott Dodson 2017-06-23 18:01:16 UTC 
https://github.com/openshift/openshift-ansible/issues/4575
Comment 9 Gaoyun Pei 2017-06-28 09:44:31 UTC 
Verify this bug with openshift-ansible-3.3.102-1.git.0.7983529.el7

Generate a custom router cert issued by a self-signed CA cert, and the router cert should have a large serial number like:
[cucushift@dhcp-129-188 files]$ openssl x509 -in m01.example.com.crt -text
..
        Serial Number:
            0a:de:eb:24:04:75:ab:56:39:14:e9:5a:22:e2:85:c2

Install a containerized ocp-3.3 cluster on Atomic Host, set local router certificate used in ansible inventory file 
openshift_hosted_router_certificate={"certfile": "/files/m01.example.com.crt", "keyfile": "/files/m01.example.com.key", "cafile": "/files/rootCA.pem"}

After installation finished, run certificate expiry checker easy-mode playbook
ansible-playbook -i host_file /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml
The playbook works well without error.
Comment 12 errata-xmlrpc 2017-06-29 13:34:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1666
Note You need to log in before you can comment on or make changes to this bug.