Description of problem: oVirt/RHV currently use a direct Fluentd to Elasticsearch connection using client cert auth (so cannot use a reencrypt route). Fluentd has to disable ssl verify because the Elasticsearch server cert hostname in the subjectDN and subjectAltName are the internal cluster hostname(s) and not externally resolveable. We need the ability to add an external hostname to be used in the Elasticsearch SSL server cert for the subjectDN or subjectAltName. Severity high because this is security related. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
(In reply to Shirly Radco from comment #1) > Can you target this to 3.9? It is too late for 3.9.0. I'm keeping this bug for 3.10, and I've cloned a new bug for 3.9.1
How to test: deploy logging with ansible setting these parameters openshift_logging_es_allow_external=True openshift_logging_es_hostname=es.openshift.public.hostname if deploying the ops cluster, add these openshift_logging_es_allow_external=True openshift_logging_es_hostname=es.openshift.public.hostname After logging is deployed, do this: oc project logging oc get endpoints logging-es 10.128.0.26:9200 28m logging-es-ops 10.128.0.27:9200 28m openssl s_client -connect 10.128.0.26:9200 -showcerts > es Use Ctrl-C to exit out of s_client openssl s_client -connect 10.128.0.27:9200 -showcerts > es-ops Use Ctrl-C to exit out of s_client For the files es and es-ops - edit the files - you want to remove everything before the first line that begins with -----BEGIN CERTIFICATE----- and remove everything after the first line that begins with -----END CERTIFICATE----- That is, after you are finished, the file should contain something like this: -----BEGIN CERTIFICATE----- MIIC2jCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNsb2dn ... 9xBULophhdigIpspVX8= -----END CERTIFICATE----- next openssl x509 -in es -text | less if you scroll down you should see something like this: X509v3 Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1, DNS:logging-es, DNS:logging-es.logging.svc.cluster.local, DNS:logging-es-clust er, DNS:logging-es-cluster.logging.svc.cluster.local, DNS:logging-es-ops, DNS:logging-es-ops.logging.svc.cluster.local, DNS:logging -es-ops-cluster, DNS:logging-es-ops-cluster.logging.svc.cluster.local, DNS:es.openshift.public.hostname, DNS:es-ops.openshift.public.hostname repeat for es-ops if using the ops cluster
https://github.com/openshift/openshift-ansible/pull/7931
Verified with ose-ansible:v3.10.0-0.37.0.0 Note that if the elasticsearch name include '-' , It couldn't be added to Alt name. You may get the following message: Elasticsearch external hostname es.apps.0506-txp.qe.rhcloud.com contains invalid characters for certificate subject Alt Name. Not adding to Elasticsearch certificate.
(In reply to Anping Li from comment #5) > Verified with ose-ansible:v3.10.0-0.37.0.0 > > Note that if the elasticsearch name include '-' , It couldn't be added to > Alt name. No. The problem is that a hostname component begins with a digit. In this case, the problem is ".0506". > You may get the following message: > Elasticsearch external hostname es.apps.0506-txp.qe.rhcloud.com > contains invalid characters for certificate subject Alt Name. Not adding to > Elasticsearch certificate.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816