1758373 – EXTENDED_VALIDATION doesn't capture certificate / key mismatch, causing the router to misbehave [4.2]

Bug 1758373 - EXTENDED_VALIDATION doesn't capture certificate / key mismatch, causing the router to misbehave [4.2]

Summary: EXTENDED_VALIDATION doesn't capture certificate / key mismatch, causing the r...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.9.0
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.2.z
Assignee:	Dan Mace
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:	1723400 1794487
Blocks:	1758374
TreeView+	depends on / blocked

Reported:	2019-10-03 23:48 UTC by Miciah Dashiel Butler Masters
Modified:	2022-08-04 22:24 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1723400
Environment:
Last Closed:	2019-11-13 18:55:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift router pull 44	0	'None'	closed	[release-4.2] Bug 1758373: fix haproxy reload crash when processing ECDSA keys	2020-01-23 19:39:44 UTC
Red Hat Product Errata	RHBA-2019:3303	0	None	None	None	2019-11-13 18:55:59 UTC

Description Miciah Dashiel Butler Masters 2019-10-03 23:48:11 UTC

+++ This bug was initially created as a clone of Bug #1723400 +++

Description of problem:

Even though the EXTENDED_VALIDATION is set to true, adding a certificate to a specific `route` with the wrong key will cause the `router` to fail during re-load which can impact production services as changes within the service are not properly reflected.

With EXTENDED_VALIDATION on, it's expected to decline such route from being created and prevent the `router` from failing.

Version-Release number of selected component (if applicable):

> oc v3.9.74
> kubernetes v1.9.1+a0ce1bc657
> features: Basic-Auth GSSAPI Kerberos SPNEGO
> 
> Server https://openshift.example.com:443
> openshift v3.9.74
> kubernetes v1.9.1+a0ce1bc657

How reproducible:
Always


Steps to Reproduce:
1. Make sure EXTENDED_VALIDATION is set to `true` on the `router`
2. Create a route with Edge termination set and apply a custom certificate.
3. Add a wrong key for the certificate (not matching) and create the route

Actual results:

`router` is failing to reload and thus apply changes within it's configuration. Error reported by `router` is as following.

E0620 09:53:43.202882       1 limiter.go:137] error reloading router: exit status 1
[ALERT] 170/095343 (13510) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL private key from PEM file '/var/lib/haproxy/router/certs/example-route:wildcard.pem'.
[ALERT] 170/095343 (13510) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 170/095343 (13510) : Fatal errors found in configuration.
E0620 09:54:08.868115       1 limiter.go:137] error reloading router: exit status 1
[ALERT] 170/095408 (13581) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL private key from PEM file '/var/lib/haproxy/router/certs/example-route:wildcard.pem'.
[ALERT] 170/095408 (13581) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 170/095408 (13581) : Fatal errors found in configuration.

Expected results:

`router` to reject the `route` in order to continue to function properly and simply notify the creator of the `route` that it was not possible to create the `route` due to validation error.

Additional info:

Comment 2 Hongan Li 2019-10-28 11:52:16 UTC

verified with 4.2.0-0.nightly-2019-10-27-140004 and passed

Comment 4 errata-xmlrpc 2019-11-13 18:55:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3303

Note You need to log in before you can comment on or make changes to this bug.