Description of problem: When trying to connect to the director UI with Firefox, you get: Certificate extension value is invalid. Error code: SEC_ERROR_EXTENSION_VALUE_INVALID This error means that a certificate has an extension with an empty value. Re-generate the certificate without the extension, or re-generate it with a non-empty value. Version-Release number of selected component (if applicable): openstack-tripleo-ui-7.4.3-4.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. Use Firefox to connect to the UI Actual results: Connection error. You also can't add an exception and accept this certificate.
This happens to me only on my bare metal setup, and not with my virtual environments which are set up with IR... It could be a configuration issue but I need help figuring out how the certificate is generated and what options control it.
What version of Firefox?
Firefox version 57.0.1
Udi, could you provide the certificate that is being presented please?
Figured out which cert it is ..
I've duplicated this outside of OpenStack using just certmonger and Apache. It looks like an issue with the CA cert that certmonger is generating. I don't know if you want to re-assign this to certmonger or generate a new bug.
I should clarify that I'm not 100% sure I'm completely duplicating things. I can get a similar error message in Firefox but if you could provide the getcert usage you are using that would help me be sure I'm seeing exactly the same thing.
Just to update -- the certmonger getcert request comes from puppet-tripleo https://github.com/openstack/puppet-tripleo/blob/b3d0b2f25a120501e1dafa9e0c289bc5630dbc29/manifests/certmonger/haproxy.pp#L108 which passes in key usages etc. Thats one of the things that is weird about this cert -- no key usages. Looking at puppet-certmonger, looks like we're passing the ekus in -U arguments. Udi, in your environment, can you provide the output of : sudo getcert list (on the undercloud)
I think I have a handle on the issue now. certmonger is not setting the CA basic constraint properly which results in improper DER-encoding.
I still see this with RHEL 7.4 with firefox-52.2.0-2.el7.x86_64 and an OSP 12 director using ssl. I'm not sure which certs to load into Firefox to get around it. From the director host what certs do I need to bring down to my client to load into Firefox? Thanks!
The issue isn't in Firefox or OSP, it is in certmonger. This is fixed in EL 7.5. You need certmonger-0.78.4-3.el7.1. See https://bugzilla.redhat.com/show_bug.cgi?id=1560961
I see. Thanks!
This does not apply to recent versions of OSP, as it was an issue in certmonger and resolved in RHEL7.5+ Closing as CURRENT_RELEASE.