Bug 1493276 - Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console
Summary: Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 3.7.0
Assignee: Andrew Butcher
QA Contact: Gaoyun Pei
URL:
Whiteboard:
: 1259029 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-19 19:27 UTC by Ryan Howe
Modified: 2019-10-10 12:17 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-28 22:11:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Ryan Howe 2017-09-19 19:27:00 UTC 
Description of problem:

If a Company CA is added to namedcertificates, the CA is added to ca-bundle.crt as well. This can cause client cert popups when using IE,Safari or Chrome if the user has client certs configured via the browser. 

OpenShift is making a request for client certificates but will ignore if there is none are presented.

3.4-5
https://github.com/kubernetes/kubernetes/blob/release-1.5/pkg/genericapiserver/serve.go#L80
3.6
https://github.com/kubernetes/apiserver/blob/release-1.6/pkg/server/serve.go#L71-L77


We only need the clientCA to be set to the Internal OpenShift CA used "ca.crt" not the bundle. 

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L106


Version-Release number of the following components:
Latest 


How reproducible:
100% 

Steps to reproduce: 

Add client certs that are signed by a ca referenced in the ca-bundle.crt to chrome. Then access OpenShift console.
Comment 1 Ryan Howe 2017-09-19 19:30:31 UTC 
*** Bug 1259029 has been marked as a duplicate of this bug. ***
Comment 2 Scott Dodson 2017-09-19 19:54:20 UTC 
Jordan can you validate that not using the ca-bundle.crt which includes the nameCertificates CA is the correct thing to do here?
Comment 3 Jordan Liggitt 2017-09-19 20:18:42 UTC 
Yes, just the internal CA should be set for client cert CA, not the full bundle populated for named certificates
Comment 4 openshift-github-bot 2017-10-09 21:28:19 UTC 
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/60c770af09aaf5572b61d6d71ddda88db2dd7de2
Merge pull request #5698 from abutcher/servinginfo-client-ca

Automatic merge from submit-queue.

Bug 1493276: Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console

https://bugzilla.redhat.com/show_bug.cgi?id=1493276
Comment 6 Gaoyun Pei 2017-10-12 08:04:27 UTC 
Verify this bug with openshift-ansible-3.7.0-0.148.0.git.0.b35eb14.el7.noarch

For fresh install ocp-3.7 cluster, servingInfo.clientCA was set to ca.crt by default now.

For old env which was using ca-bundle.crt as servingInfo.clientCA, after running /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml playbook, it could be changed to ca.crt.
Comment 10 errata-xmlrpc 2017-11-28 22:11:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188
Note You need to log in before you can comment on or make changes to this bug.