Bug 1520778
| Summary: | Can't log in to the director UI with Firefox | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Udi Kalifon <ukalifon> | |
| Component: | openstack-tripleo-ui | Assignee: | Juan Antonio Osorio <josorior> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Arik Chernetsky <achernet> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 12.0 (Pike) | CC: | alee, asimonel, beth.white, hrybacki, jjoyce, jrist, jschluet, rcritten, slinaber, tvignaud, ukalifon | |
| Target Milestone: | --- | Keywords: | Triaged, ZStream | |
| Target Release: | 12.0 (Pike) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1546364 1546366 (view as bug list) | Environment: | ||
| Last Closed: | 2018-11-01 19:59:55 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1551635 | |||
| Bug Blocks: | 1546364, 1546366 | |||
|
Description
Udi Kalifon
2017-12-05 07:01:16 UTC
This happens to me only on my bare metal setup, and not with my virtual environments which are set up with IR... It could be a configuration issue but I need help figuring out how the certificate is generated and what options control it. What version of Firefox? Firefox version 57.0.1 Udi, could you provide the certificate that is being presented please? Figured out which cert it is .. I've duplicated this outside of OpenStack using just certmonger and Apache. It looks like an issue with the CA cert that certmonger is generating. I don't know if you want to re-assign this to certmonger or generate a new bug. I should clarify that I'm not 100% sure I'm completely duplicating things. I can get a similar error message in Firefox but if you could provide the getcert usage you are using that would help me be sure I'm seeing exactly the same thing. Just to update -- the certmonger getcert request comes from puppet-tripleo https://github.com/openstack/puppet-tripleo/blob/b3d0b2f25a120501e1dafa9e0c289bc5630dbc29/manifests/certmonger/haproxy.pp#L108 which passes in key usages etc. Thats one of the things that is weird about this cert -- no key usages. Looking at puppet-certmonger, looks like we're passing the ekus in -U arguments. Udi, in your environment, can you provide the output of : sudo getcert list (on the undercloud) I think I have a handle on the issue now. certmonger is not setting the CA basic constraint properly which results in improper DER-encoding. I still see this with RHEL 7.4 with firefox-52.2.0-2.el7.x86_64 and an OSP 12 director using ssl. I'm not sure which certs to load into Firefox to get around it. From the director host what certs do I need to bring down to my client to load into Firefox? Thanks! The issue isn't in Firefox or OSP, it is in certmonger. This is fixed in EL 7.5. You need certmonger-0.78.4-3.el7.1. See https://bugzilla.redhat.com/show_bug.cgi?id=1560961 I see. Thanks! This does not apply to recent versions of OSP, as it was an issue in certmonger and resolved in RHEL7.5+ Closing as CURRENT_RELEASE. |