Bug 1554878 - [3.9] Provide external hostname for Elasticsearch server cert
Summary: [3.9] Provide external hostname for Elasticsearch server cert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.9.z
Assignee: Rich Megginson
QA Contact: Anping Li
URL:
Whiteboard:
Depends On: 1548154
Blocks: 1507407
TreeView+ depends on / blocked
 
Reported: 2018-03-13 14:04 UTC by Rich Megginson
Modified: 2018-05-17 06:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The Elasticsearch server TLS certificate does not have an external hostname in the subject alt. name list. Consequence: Clients accessing Elasticsearch externally cannot turn on MITM server cert. validation. Fix: When configuring Elasticsearch to allow external access, add the external hostname in the subject alt. name list. Result: TLS clients can turn on server cert. validation.
Clone Of: 1548154
Environment:
Last Closed: 2018-05-17 06:42:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift openshift-ansible pull 7940 None None None 2018-04-13 03:12:30 UTC
Red Hat Product Errata RHBA-2018:1566 None None None 2018-05-17 06:43:17 UTC

Comment 1 Rich Megginson 2018-04-13 13:24:32 UTC
upstream was merged

Comment 5 Anping Li 2018-05-03 01:46:38 UTC
When openshift_logging_es_allow_external=True, the domain name couldn't be added to subject Alt name. I get the followimg error message. It seem the playbook couldn't handle the character '-'


INSTALLER STATUS ***************************************************************
Initialization             : Complete (0:00:21)
Logging Install            : Complete (0:07:00)
	Elasticsearch external hostname es.apps.0502-u3j.qe.rhcloud.com contains invalid characters for certificate subject Alt Name.  Not adding to Elasticsearch certificate.

Comment 6 Rich Megginson 2018-05-03 01:52:56 UTC
(In reply to Anping Li from comment #5)
> When openshift_logging_es_allow_external=True, the domain name couldn't be
> added to subject Alt name. I get the followimg error message. It seem the
> playbook couldn't handle the character '-'
> 
> 
> INSTALLER STATUS
> ***************************************************************
> Initialization             : Complete (0:00:21)
> Logging Install            : Complete (0:07:00)
> 	Elasticsearch external hostname es.apps.0502-u3j.qe.rhcloud.com contains
> invalid characters for certificate subject Alt Name.  Not adding to
> Elasticsearch certificate.

This is a feature, not a bug.  Hostname components that begin with a digit [0-9] are not allowed in a DNS field in a SubjectAltName.  So "0502-u3j" cannot be part of a DNS field in a SubjectAltName.

Comment 7 Anping Li 2018-05-03 08:12:40 UTC
@Rich, Is it a limitation of keytool?  QE are always using subdomain like 0502-u3j.qe.rhcloud.com.

Comment 8 Rich Megginson 2018-05-03 16:38:57 UTC
(In reply to Anping Li from comment #7)
> @Rich, Is it a limitation of keytool?  QE are always using subdomain like
> 0502-u3j.qe.rhcloud.com.

Yes, it might be a limitation of keytool.

Comment 9 Anping Li 2018-05-04 10:18:15 UTC
Verified with openshift-ansible:v3.9.27

Comment 12 errata-xmlrpc 2018-05-17 06:42:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566


Note You need to log in before you can comment on or make changes to this bug.