1673822 – pcsd: SSL Certificate with Wrong Hostname

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1673822 - pcsd: SSL Certificate with Wrong Hostname

Summary: pcsd: SSL Certificate with Wrong Hostname

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pcs
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.1
Assignee:	Tomas Jelinek
QA Contact:	cluster-qe@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1682129
Blocks:	1693364
TreeView+	depends on / blocked

Reported:	2019-02-08 08:52 UTC by Tomas Jelinek
Modified:	2023-03-24 14:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:	pcs-0.10.1-6.el8
Doc Type:	Bug Fix
Doc Text:	Cause: When creating new cluster or adding a node to an existing cluster pcs synchronizes pcsd SSL certificates across the cluster. Consequence: CN in the certificate does not match node hostname which is reported as a security issue. Fix: Disable the synchronization by default. Provide new option PCSD_SSL_CERT_SYNC_ENABLED in /etc/sysconfig/pcsd to enable the synchronization if needed. Result: SSL certificate synchronization is disabled and thus the described security issue does not occur.
Clone Of:	1665898
Environment:
Last Closed:	2019-11-05 20:39:40 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
proposed fix + tests (70.80 KB, patch) 2019-03-27 16:07 UTC, Tomas Jelinek	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1671659	unspecified	CLOSED	pcs shall not generate a self-signed certificate but use indirection with it's own generated CA	2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution)	3822962	None	None	None	2019-02-08 08:55:57 UTC
Red Hat Product Errata	RHEA-2019:3311	None	None	None	2019-11-05 20:39:53 UTC

Comment 2 Tomas Jelinek 2019-03-25 13:04:22 UTC

> Our preliminary plan to resolve this is to regenerate pcsd certificate
> during the synchronization and put names of all full stack nodes in it.
> There would also be an option in /etc/sysconfig/pcsd config file which would
> allow to 'disable', 'enable' or 'enable only for pcsd certificates (O and OU
> equals to pcsd)' this SSL certification regeneration.

If we implemented this, web browsers would complain each time the certificate changes. The whole point of synchronizing the certificates is to avoid such warnings. Therefore this is not a way to go.

Instead, we will provide a configuration option in /etc/sysconfig/pcsd to disable certificates synchronization completely. This will resolve the original issue of CN not matching hostname. It will be up to the users to set their own certificates if they are not happy with the default ones.

Comment 3 Tomas Jelinek 2019-03-27 16:07:18 UTC

Created attachment 1548633 [details]
proposed fix + tests

Test:
* certificate sync is disabled by default
* add PCSD_SSL_CERT_SYNC_ENABLED=true to /etc/sysconfig/pcsd
* check that 'pcs cluster setup' and 'pcs cluster node add' do overwrite pcsd SSL certificate on target nodes
* remove, comment out or set PCSD_SSL_CERT_SYNC_ENABLED=false in /etc/sysconfig/pcsd
* check that in all cases 'pcs cluster setup' and 'pcs cluster node add' do not overwrite pcsd SSL certificate on target nodes

Comment 4 Ondrej Mular 2019-05-02 12:11:46 UTC

After fix:
[root@rhel81-node1 ~]# rpm -q pcs
pcs-0.10.1-6.el8.x86_64

[root@rhel81-node1 ~]# ssh rh81-1 -- rm -f /var/lib/pcsd/pcsd.crt /var/lib/pcsd/pcsd.key
[root@rhel81-node1 ~]# ssh rh81-2 -- rm -f /var/lib/pcsd/pcsd.crt /var/lib/pcsd/pcsd.key
[root@rhel81-node1 ~]# ssh rh81-1 -- systemctl restart pcsd
[root@rhel81-node1 ~]# ssh rh81-2 -- systemctl restart pcsd
[root@rhel81-node1 ~]# pcs cluster setup rhel-8.1-cluster rh81-1 rh81-2
No addresses specified for host 'rh81-1', using 'rh81-1'
No addresses specified for host 'rh81-2', using 'rh81-2'
Destroying cluster on hosts: 'rh81-1', 'rh81-2'...
rh81-2: Successfully destroyed cluster
rh81-1: Successfully destroyed cluster
Requesting remove 'pcsd settings' from 'rh81-1', 'rh81-2'
rh81-1: successful removal of the file 'pcsd settings'
rh81-2: successful removal of the file 'pcsd settings'
Sending 'corosync authkey', 'pacemaker authkey' to 'rh81-1', 'rh81-2'
rh81-1: successful distribution of the file 'corosync authkey'
rh81-1: successful distribution of the file 'pacemaker authkey'
rh81-2: successful distribution of the file 'corosync authkey'
rh81-2: successful distribution of the file 'pacemaker authkey'
Sending 'corosync.conf' to 'rh81-1', 'rh81-2'
rh81-1: successful distribution of the file 'corosync.conf'
rh81-2: successful distribution of the file 'corosync.conf'
Cluster has been successfully set up.
[root@rhel81-node1 ~]# ssh rh81-1 -- sha1sum /var/lib/pcsd/pcsd.crt
e868f8b684f67245651b188fe7b3562cbdfc1022  /var/lib/pcsd/pcsd.crt
[root@rhel81-node1 ~]# ssh rh81-2 -- sha1sum /var/lib/pcsd/pcsd.crt
8bc61149631778ce9d9b98f063b6514a8760ed3d  /var/lib/pcsd/pcsd.crt
[root@rhel81-node1 ~]# ssh rh81-1 -- echo "PCSD_SSL_CERT_SYNC_ENABLED=true" >> /etc/sysconfig/pcsd
[root@rhel81-node1 ~]# ssh rh81-2 -- echo "PCSD_SSL_CERT_SYNC_ENABLED=true" >> /etc/sysconfig/pcsd
[root@rhel81-node1 ~]# ssh rh81-1 -- systemctl restart pcsd
[root@rhel81-node1 ~]# ssh rh81-2 -- systemctl restart pcsd
[root@rhel81-node1 ~]# pcs cluster destroy --all
rh81-2: Stopping Cluster (pacemaker)...
rh81-1: Stopping Cluster (pacemaker)...
rh81-2: Successfully destroyed cluster
rh81-1: Successfully destroyed cluster
[root@rhel81-node1 ~]# pcs cluster setup rhel-8.1-cluster rh81-1 rh81-2
No addresses specified for host 'rh81-1', using 'rh81-1'
No addresses specified for host 'rh81-2', using 'rh81-2'
Destroying cluster on hosts: 'rh81-1', 'rh81-2'...
rh81-1: Successfully destroyed cluster
rh81-2: Successfully destroyed cluster
Requesting remove 'pcsd settings' from 'rh81-1', 'rh81-2'
rh81-1: successful removal of the file 'pcsd settings'
rh81-2: successful removal of the file 'pcsd settings'
Sending 'corosync authkey', 'pacemaker authkey' to 'rh81-1', 'rh81-2'
rh81-1: successful distribution of the file 'corosync authkey'
rh81-1: successful distribution of the file 'pacemaker authkey'
rh81-2: successful distribution of the file 'corosync authkey'
rh81-2: successful distribution of the file 'pacemaker authkey'
Synchronizing pcsd SSL certificates on nodes 'rh81-1', 'rh81-2'...
rh81-1: Success
rh81-2: Success
Sending 'corosync.conf' to 'rh81-1', 'rh81-2'
rh81-1: successful distribution of the file 'corosync.conf'
rh81-2: successful distribution of the file 'corosync.conf'
Cluster has been successfully set up.
[root@rhel81-node1 ~]# ssh rh81-1 -- sha1sum /var/lib/pcsd/pcsd.crt
fc8097144ef8a5b2a09016f8710be35bf4119eb8  /var/lib/pcsd/pcsd.crt
[root@rhel81-node1 ~]# ssh rh81-2 -- sha1sum /var/lib/pcsd/pcsd.crt
fc8097144ef8a5b2a09016f8710be35bf4119eb8  /var/lib/pcsd/pcsd.crt

Comment 8 errata-xmlrpc 2019-11-05 20:39:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3311

Note You need to log in before you can comment on or make changes to this bug.