1485498 – Certificate errors for Chrome 60 and Firefox 52.3.0 on Mac OS

Bug 1485498 - Certificate errors for Chrome 60 and Firefox 52.3.0 on Mac OS

Summary: Certificate errors for Chrome 60 and Firefox 52.3.0 on Mac OS

Keywords:
Status:	CLOSED DUPLICATE of bug 1445580
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-ui
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Mac OS
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	12.0 (Pike)
Assignee:	Harry Rybacki
QA Contact:	Ola Pavlenko
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-25 21:33 UTC by Anandeep Pannu
Modified:	2017-10-03 16:15 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-03 14:17:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Firefox "secure connection failed" snapshot (295.04 KB, image/png) 2017-08-25 21:33 UTC, Anandeep Pannu	no flags	Details
Chrome "Your connection is not secure" screenshot (220.23 KB, image/png) 2017-08-25 21:35 UTC, Anandeep Pannu	no flags	Details
View All

Description Anandeep Pannu 2017-08-25 21:33:25 UTC

Created attachment 1318341 [details]
Firefox "secure connection failed" snapshot

Description of problem:
Get the error 

Version-Release number of selected component (if applicable):
OSP 10, 11, 12 

How reproducible:


Use a browser on Mac OS X El Capitan (10.11.6) 

Browsers used were 
(1) Chrome 54.0.2840.98 (64-bit)
(2) Firefox 52.3.0 Firefox Extended Support Release ESR

Try to open URL for undercloud install 

Steps to Reproduce:
1.
2.
3.

Actual results:
See attachments below from Chrome and Firefox - with certificate error messages 


Expected results:


Additional info:

Comment 1 Anandeep Pannu 2017-08-25 21:35:17 UTC

Created attachment 1318344 [details]
Chrome "Your connection is not secure" screenshot

Comment 2 Anandeep Pannu 2017-08-25 21:38:14 UTC

From dtrainor

"I was looking at the SSL certificate used[0] and it doesn't have a Subject Alternative Name for the system, which I understand Chrome on OSX now requires.  That's what is going to prevent this from working.  As it is right now, however, it does work on other browsers on other platforms - for example, I have no problems with this using Chrome 60 on Fedora - weird.

When you open a bug, you can reference this link[1] for more information.  

We need to add an additional value (the VIP, or 8.43.87.242), to the SubjectAltName value of the certificate.  This needs to happen automatically as part of the Undercloud install.  Since the Undercloud won't know what this IP should be, it probably needs to be specified as an install-time parameter, perhaps in the undercloud.conf file prior to 'openstack undercloud install'.  
"

---

[0] http://paste.openstack.org/show/619087/
[1] https://www.thesslstore.com/blog/security-changes-in-chrome-58/

Comment 5 Juan Antonio Osorio 2017-09-26 11:21:35 UTC

Well, the autogenerated certificate has been using a subjectaltname for a while. Checking it, it seems to be in OSP10 as well. What is this error reported for? the undercloud or the overcloud?

If it's the overcloud, we do expect folks to generate their own certificates; perhaps what should be fixed is the documentation where it gives an example of how to generate a certificate, and we should include setting up a SubjectAltName there.

Comment 6 Juan Antonio Osorio 2017-09-26 11:24:03 UTC

Uhm... If it's the undercloud, I think it might be related to this bug https://bugzilla.redhat.com/show_bug.cgi?id=1445580

Comment 8 Anandeep Pannu 2017-09-29 16:10:42 UTC

The error occurred in the undercloud

Comment 9 Harry Rybacki 2017-10-03 14:17:21 UTC

Closing this as a duplicate or RHBZ#1445580[1].

[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1445580

*** This bug has been marked as a duplicate of bug 1445580 ***

Note You need to log in before you can comment on or make changes to this bug.