Bug 1554878 - [3.9] Provide external hostname for Elasticsearch server cert
Summary: [3.9] Provide external hostname for Elasticsearch server cert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.9.z
Assignee: Rich Megginson
QA Contact: Anping Li
URL:
Whiteboard:
Depends On: 1548154
Blocks: 1507407
TreeView+ depends on / blocked
 
Reported: 2018-03-13 14:04 UTC by Rich Megginson
Modified: 2021-01-18 05:24 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The Elasticsearch server TLS certificate does not have an external hostname in the subject alt. name list. Consequence: Clients accessing Elasticsearch externally cannot turn on MITM server cert. validation. Fix: When configuring Elasticsearch to allow external access, add the external hostname in the subject alt. name list. Result: TLS clients can turn on server cert. validation.
Clone Of: 1548154
Environment:
Last Closed: 2018-05-17 06:42:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 7940 0 None closed [release-3.9] always add es and es-ops hostname to the es server cert 2020-02-22 15:04:18 UTC
Red Hat Product Errata RHBA-2018:1566 0 None None None 2018-05-17 06:43:17 UTC

Comment 1 Rich Megginson 2018-04-13 13:24:32 UTC 
upstream was merged
Comment 5 Anping Li 2018-05-03 01:46:38 UTC 
When openshift_logging_es_allow_external=True, the domain name couldn't be added to subject Alt name. I get the followimg error message. It seem the playbook couldn't handle the character '-'


INSTALLER STATUS ***************************************************************
Initialization             : Complete (0:00:21)
Logging Install            : Complete (0:07:00)
	Elasticsearch external hostname es.apps.0502-u3j.qe.rhcloud.com contains invalid characters for certificate subject Alt Name.  Not adding to Elasticsearch certificate.
Comment 6 Rich Megginson 2018-05-03 01:52:56 UTC 
(In reply to Anping Li from comment #5)
> When openshift_logging_es_allow_external=True, the domain name couldn't be
> added to subject Alt name. I get the followimg error message. It seem the
> playbook couldn't handle the character '-'
> 
> 
> INSTALLER STATUS
> ***************************************************************
> Initialization             : Complete (0:00:21)
> Logging Install            : Complete (0:07:00)
> 	Elasticsearch external hostname es.apps.0502-u3j.qe.rhcloud.com contains
> invalid characters for certificate subject Alt Name.  Not adding to
> Elasticsearch certificate.

This is a feature, not a bug.  Hostname components that begin with a digit [0-9] are not allowed in a DNS field in a SubjectAltName.  So "0502-u3j" cannot be part of a DNS field in a SubjectAltName.
Comment 7 Anping Li 2018-05-03 08:12:40 UTC 
@Rich, Is it a limitation of keytool?  QE are always using subdomain like 0502-u3j.qe.rhcloud.com.
Comment 8 Rich Megginson 2018-05-03 16:38:57 UTC 
(In reply to Anping Li from comment #7)
> @Rich, Is it a limitation of keytool?  QE are always using subdomain like
> 0502-u3j.qe.rhcloud.com.

Yes, it might be a limitation of keytool.
Comment 9 Anping Li 2018-05-04 10:18:15 UTC 
Verified with openshift-ansible:v3.9.27
Comment 12 errata-xmlrpc 2018-05-17 06:42:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566
Note You need to log in before you can comment on or make changes to this bug.