Bug 1548154 - Provide external hostname for Elasticsearch server cert
Summary: Provide external hostname for Elasticsearch server cert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.10.0
Assignee: Rich Megginson
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks: 1507407 1554878
TreeView+ depends on / blocked
 
Reported: 2018-02-22 20:52 UTC by Rich Megginson
Modified: 2018-07-30 19:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The Elasticsearch server TLS certificate does not have an external hostname in the subject alt. name list. Consequence: Clients accessing Elasticsearch externally cannot turn on MITM server cert. validation. Fix: When configuring Elasticsearch to allow external access, add the external hostname in the subject alt. name list. Result: TLS clients can turn on server cert. validation.
Clone Of:
: 1554878 (view as bug list)
Environment:
Last Closed: 2018-07-30 19:09:51 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:10:18 UTC
Github openshift openshift-ansible pull 7931 None None None 2018-04-12 01:40:54 UTC

Description Rich Megginson 2018-02-22 20:52:31 UTC
Description of problem:
oVirt/RHV currently use a direct Fluentd to Elasticsearch connection using client cert auth (so cannot use a reencrypt route).  Fluentd has to disable ssl verify because the Elasticsearch server cert hostname in the subjectDN and subjectAltName are the internal cluster hostname(s) and not externally resolveable.

We need the ability to add an external hostname to be used in the Elasticsearch SSL server cert for the subjectDN or subjectAltName.

Severity high because this is security related.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Rich Megginson 2018-03-13 14:06:41 UTC
(In reply to Shirly Radco from comment #1)
> Can you target this to 3.9?

It is too late for 3.9.0.  I'm keeping this bug for 3.10, and I've cloned a new bug for 3.9.1

Comment 3 Rich Megginson 2018-04-12 01:40:54 UTC
How to test:

deploy logging with ansible setting these parameters

openshift_logging_es_allow_external=True
openshift_logging_es_hostname=es.openshift.public.hostname

if deploying the ops cluster, add these

openshift_logging_es_allow_external=True
openshift_logging_es_hostname=es.openshift.public.hostname

After logging is deployed, do this:

oc project logging

oc get endpoints
logging-es                  10.128.0.26:9200    28m
logging-es-ops              10.128.0.27:9200    28m

openssl s_client -connect 10.128.0.26:9200 -showcerts > es
Use Ctrl-C to exit out of s_client

openssl s_client -connect 10.128.0.27:9200 -showcerts > es-ops
Use Ctrl-C to exit out of s_client

For the files es and es-ops - edit the files - you want to remove everything before the first line that begins with
-----BEGIN CERTIFICATE-----
and remove everything after the first line that begins with
-----END CERTIFICATE-----

That is, after you are finished, the file should contain something like this:
-----BEGIN CERTIFICATE-----
MIIC2jCCAcKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNsb2dn
...
9xBULophhdigIpspVX8=
-----END CERTIFICATE-----

next

openssl x509 -in es -text | less

if you scroll down you should see something like this:

            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:127.0.0.1, DNS:logging-es, DNS:logging-es.logging.svc.cluster.local, DNS:logging-es-clust
er, DNS:logging-es-cluster.logging.svc.cluster.local, DNS:logging-es-ops, DNS:logging-es-ops.logging.svc.cluster.local, DNS:logging
-es-ops-cluster, DNS:logging-es-ops-cluster.logging.svc.cluster.local, DNS:es.openshift.public.hostname, DNS:es-ops.openshift.public.hostname

repeat for es-ops if using the ops cluster

Comment 5 Anping Li 2018-05-08 10:18:33 UTC
Verified with ose-ansible:v3.10.0-0.37.0.0

Note that if the elasticsearch name include '-' , It couldn't be added to Alt name. 
You may get the following message:
       Elasticsearch external hostname es.apps.0506-txp.qe.rhcloud.com contains invalid characters for certificate subject Alt Name.  Not adding to Elasticsearch certificate.

Comment 6 Rich Megginson 2018-05-08 14:06:26 UTC
(In reply to Anping Li from comment #5)
> Verified with ose-ansible:v3.10.0-0.37.0.0
> 
> Note that if the elasticsearch name include '-' , It couldn't be added to
> Alt name. 

No.

The problem is that a hostname component begins with a digit.  In this case, the problem is ".0506".

> You may get the following message:
>        Elasticsearch external hostname es.apps.0506-txp.qe.rhcloud.com
> contains invalid characters for certificate subject Alt Name.  Not adding to
> Elasticsearch certificate.

Comment 8 errata-xmlrpc 2018-07-30 19:09:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.