1551635 – Can't log in to the director UI with Firefox

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1551635 - Can't log in to the director UI with Firefox

Summary: Can't log in to the director UI with Firefox

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:	1551702
Blocks:	1520778 1546366 1560961
TreeView+	depends on / blocked

Reported:	2018-03-05 15:27 UTC by Rob Crittenden
Modified:	2018-10-30 07:44 UTC (History)
CC List:	18 users (show)
Fixed In Version:	certmonger-0.78.4-4.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1546366
Clones:	1560961 (view as bug list)
Environment:
Last Closed:	2018-10-30 07:44:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3018	0	None	None	None	2018-10-30 07:44:55 UTC

Description Rob Crittenden 2018-03-05 15:27:58 UTC

+++ This bug was initially created as a clone of Bug #1546366 +++

*** This is also an issue for 13. *** 
Firefox version:
52.5.1 (64-bit)
also occurs with 58.0.2 (64-bit)



+++ This bug was initially created as a clone of Bug #1520778 +++

Description of problem:
When trying to connect to the director UI with Firefox, you get:

Certificate extension value is invalid. Error code: SEC_ERROR_EXTENSION_VALUE_INVALID

This error means that a certificate has an extension with an empty value. Re-generate the certificate without the extension, or re-generate it with a non-empty value.


Version-Release number of selected component (if applicable):
openstack-tripleo-ui-7.4.3-4.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. Use Firefox to connect to the UI


Actual results:
Connection error. You also can't add an exception and accept this certificate.

--- Additional comment from Udi on 2017-12-05 04:24:19 EST ---

This happens to me only on my bare metal setup, and not with my virtual environments which are set up with IR... It could be a configuration issue but I need help figuring out how the certificate is generated and what options control it.

--- Additional comment from Jason E. Rist on 2018-01-03 10:15:51 EST ---

What version of Firefox?

--- Additional comment from Udi on 2018-01-03 10:42:44 EST ---

Firefox version 57.0.1

--- Additional comment from Harry Rybacki on 2018-01-10 11:23:47 EST ---

Udi, could you provide the certificate that is being presented please?

--- Additional comment from Udi on 2018-01-11 03:39 EST ---

Attached is the certificate from the server. I extracted it with Chrome because firefox won't proceed with this certificate. I hope it's what you meant to ask for.

--- Additional comment from Harry Rybacki on 2018-01-11 09:26:38 EST ---

(In reply to Udi from comment #5)
> Created attachment 1379875 [details]
> certificate
> 
> Attached is the certificate from the server. I extracted it with Chrome
> because firefox won't proceed with this certificate. I hope it's what you
> meant to ask for.

Thanks Udi, I'm passing this along to Ozz now. He's still assisting in some training through this week so bear with us.

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-02-16 16:27:23 EST ---

This bugzilla has been removed from the Target Release until it has been release planned with 3-acks provided.

--- Additional comment from Jason E. Rist on 2018-02-16 17:21:15 EST ---



--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-02-16 18:43:39 EST ---

This bugzilla has been removed from the Target Release until it has been release planned with 3-acks provided.

--- Additional comment from Scott Lewis on 2018-02-26 12:49:17 EST ---

This item has been properly Triaged and planned for the OSP13 release, and is being tagged for tracking. For details, see https://url.corp.redhat.com/1851efd

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-02-26 12:49:27 EST ---

This item has been properly Triaged and planned for the release, and Target Release is now set to match the release flag. For details, see https://mojo.redhat.com/docs/DOC-1144661#jive_content_id_OSP_Release_Planning

Comment 2 Rob Crittenden 2018-03-05 15:40:47 UTC

To reproduce:

Just installing and starting certmonger will generate a local CA. It is placed as a PKCS#12 file in /var/lib/certmonger/local/creds

You can pull the CA certificate out of the PKCS#12 file with:

# openssl pkcs12 -in /var/lib/certmonger/local/creds -out /tmp/ca.pem -nokeys -nodes -passin pass:''

To examine the certificate:

edit the file to drop the prefix before -----BEGIN CERTIFICATE----- to avoid an offset error.

# openssl asn1parse -in /tmp/ca.pem -inform pem

An non-working CA certificate will look like:

[ snip ]

  542:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  547:d=5  hl=2 l=   1 prim: BOOLEAN           :1
  550:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:3003010101

This is an improperly encoded DER boolean value. It should look like:

  542:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  547:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  550:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF

To confirm that it works with Firefox generate a certificate using certmonger:

# getcert request -c local -f /etc/pki/tls/certs/local.crt -k /etc/pki/tls/private/local.key -U id-kp-clientAuth -U id-kp-serverAuth -u digitalSignature -u nonRepudiation -u keyEncipherment -u dataEncipherment

Install httpd and mod_ssl

Configure mod_ssl to use this certificate:

SSLCertificateFile /etc/pki/tls/certs/local.crt
SSLCertificateKeyFile /etc/pki/tls/private/local.key

Add the CA to the global trust:

# cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
# update-ca-trust 

Restart httpd

Launch firefox and hit the host on port 443.

Comment 3 Rob Crittenden 2018-03-07 15:23:01 UTC

This bug can prevent a successful installation of RHOSP in some situations when enabling TLS for undercloud endpoints. The installation will appear to succeed but the resulting web UI is unavailable due to invalid DER encoding in the CA certificate.

Comment 8 Steve Almy 2018-03-26 16:07:15 UTC

Not sure what's happening with release flags ?!?!?

Comment 20 Udi Kalifon 2018-05-14 08:35:34 UTC

All z-streams of openstack director have you upgrade to RHEL 7.5, so this bug might be invalid?

Comment 21 Rob Crittenden 2018-05-14 14:22:21 UTC

This is the 7.6 BZ for the issue to prevent regressions. Either way it is still a valid bug for other consumers of certmonger.

Comment 22 Nikhil Dehadrai 2018-08-02 08:10:56 UTC

Certmonger version: certmonger-0.78.4-8.el7.x86_64


Verified the bug on the basis of following observations:

1. Setup RHEL 7.6  system. (Note: Plain RHEl system without IPA server configurred)

# ipactl status
-bash: ipactl: command not found

 
2. Check for certmonger package version (in my case ccertmonger-0.78.4-8.el7.x86_64)

3. Pull the CA certificate out of the PKCS#12 file with:

# ls -l /var/lib/certmonger/local/creds (checking if file exists)
# openssl pkcs12 -in /var/lib/certmonger/local/creds -out /tmp/ca.pem -nokeys -nodes -passin pass:''

4. Edit the file /tmp/ca.pem created in above step to drop the prefix before -----BEGIN CERTIFICATE----- to avoid an offset error.

# openssl asn1parse -in /tmp/ca.pem -inform pem

5. Noticed the HEX dump as below:
  
  543:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  548:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  551:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF


6. Confirm that it works with Firefox generate a certificate using certmonger:

# getcert request -c local -f /etc/pki/tls/certs/local.crt -k /etc/pki/tls/private/local.key -U id-kp-clientAuth -U id-kp-serverAuth -u digitalSignature -u nonRepudiation -u keyEncipherment -u dataEncipherment

7. Install httpd and mod_ssl ( yum -y httpd; yum -y install mod_ssl)

Configure mod_ssl to use this certificate:

# vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/local.crt
SSLCertificateKeyFile /etc/pki/tls/private/local.key

Add the CA to the global trust:

# cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/cm-local-ca.pem
# update-ca-trust 

8. Restart httpd, systemctl restart httpd

9. Launch firefox ( in my case Firefox version 60.0 (64-bit)) and hit the host on port 443.

URL : https://<IP_addr_plain_RHEL76_system>

In my case , it Returned with apache page upon accepting certificate.

Thus on the basis of above observations, marking the status of bug to "VERIFIED".

Comment 24 errata-xmlrpc 2018-10-30 07:44:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3018

Note You need to log in before you can comment on or make changes to this bug.