Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1493276 - Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console
Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert ...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.6.0
Unspecified Unspecified
high Severity medium
: ---
: 3.7.0
Assigned To: Andrew Butcher
Gaoyun Pei
:
: 1259029 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-19 15:27 EDT by Ryan Howe
Modified: 2017-11-28 17:11 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-28 17:11:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-28 21:34:54 EST

  None (edit)
Description Ryan Howe 2017-09-19 15:27:00 EDT 
Description of problem:

If a Company CA is added to namedcertificates, the CA is added to ca-bundle.crt as well. This can cause client cert popups when using IE,Safari or Chrome if the user has client certs configured via the browser. 

OpenShift is making a request for client certificates but will ignore if there is none are presented.

3.4-5
https://github.com/kubernetes/kubernetes/blob/release-1.5/pkg/genericapiserver/serve.go#L80
3.6
https://github.com/kubernetes/apiserver/blob/release-1.6/pkg/server/serve.go#L71-L77


We only need the clientCA to be set to the Internal OpenShift CA used "ca.crt" not the bundle. 

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L106


Version-Release number of the following components:
Latest 


How reproducible:
100% 

Steps to reproduce: 

Add client certs that are signed by a ca referenced in the ca-bundle.crt to chrome. Then access OpenShift console.
Comment 1 Ryan Howe 2017-09-19 15:30:31 EDT 
*** Bug 1259029 has been marked as a duplicate of this bug. ***
Comment 2 Scott Dodson 2017-09-19 15:54:20 EDT 
Jordan can you validate that not using the ca-bundle.crt which includes the nameCertificates CA is the correct thing to do here?
Comment 3 Jordan Liggitt 2017-09-19 16:18:42 EDT 
Yes, just the internal CA should be set for client cert CA, not the full bundle populated for named certificates
Comment 4 openshift-github-bot 2017-10-09 17:28:19 EDT 
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/60c770af09aaf5572b61d6d71ddda88db2dd7de2
Merge pull request #5698 from abutcher/servinginfo-client-ca

Automatic merge from submit-queue.

Bug 1493276: Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console

https://bugzilla.redhat.com/show_bug.cgi?id=1493276
Comment 6 Gaoyun Pei 2017-10-12 04:04:27 EDT 
Verify this bug with openshift-ansible-3.7.0-0.148.0.git.0.b35eb14.el7.noarch

For fresh install ocp-3.7 cluster, servingInfo.clientCA was set to ca.crt by default now.

For old env which was using ca-bundle.crt as servingInfo.clientCA, after running /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml playbook, it could be changed to ca.crt.
Comment 10 errata-xmlrpc 2017-11-28 17:11:25 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.