Bug 1752110 - Enhance Octavia error message when PKCS12 is encrypted with key
Summary: Enhance Octavia error message when PKCS12 is encrypted with key
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z11
: 13.0 (Queens)
Assignee: Michael Johnson
QA Contact: Bruna Bonguardo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-13 17:26 UTC by Andreas Karis
Modified: 2020-03-10 11:27 UTC (History)
6 users (show)

Fixed In Version: openstack-octavia-2.1.2-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-10 11:26:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack Storyboard 2006587 0 None None None 2019-09-19 23:22:46 UTC
OpenStack gerrit 683254 0 'None' MERGED Improve the error message for bad pkcs12 bundles 2020-03-10 09:22:21 UTC
OpenStack gerrit 683968 0 'None' MERGED Improve the error message for bad pkcs12 bundles 2020-03-10 09:22:21 UTC
Red Hat Bugzilla 1737457 0 urgent CLOSED Support TLS-terminated HTTPS load balancer 2023-07-10 17:25:43 UTC
Red Hat Product Errata RHBA-2020:0770 0 None None None 2020-03-10 11:27:01 UTC

Description Andreas Karis 2019-09-13 17:26:13 UTC 
Description of problem:

Enhance Octavia error message when PKCS12 is encrypted with key. Octavia should be enhanced to provide a better error code when the pkcs12 bundle does not pass validation or is unreadable.

Internal link with more details: [http://post-office.corp.redhat.com/archives/rhos-tech/2019-September/msg00206.html](http://post-office.corp.redhat.com/archives/rhos-tech/2019-September/msg00206.html)

Additional info:

This point is IMO already covered in https://bugzilla.redhat.com/show_bug.cgi?id=1712448#c8 , https://storyboard.openstack.org/#!/story/2005925, https://review.opendev.org/#/c/667200/
~~~
Validate certificate content at API level

Starting from Rocky, certificates are loaded still at API level when
converting objects to provider data models. The act of loading the
certificate provides validation as to its content. For example, it
checks if a value in the Common Name field is set. When the content is
passed in on create and update actions via reference, it is checked at
API level. If it's invalid, it fails right there and an error is
returned to the user.

Although, certificate content is not checked at API level in Queens.
Should an invalid certificate be passed in, the API accepts but it will
later fail at provisioning -- the listener and loadbalancer go into
ERROR. The problem starts when the health manager runs the periodic
update health check. It calculates the expected number of listeners and
sees the listener in ERROR. In an attempt to heal it, an amphora
failover is triggered. As it runs the failover, it tries, again, to load
up the invalid certificate. Amphora failover goes on in a loop.

This patch is a Queens-only patch.
~~~

But I would like to make sure that this is the case.
Comment 6 errata-xmlrpc 2020-03-10 11:26:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0770
Note You need to log in before you can comment on or make changes to this bug.