Bug 1758374 - EXTENDED_VALIDATION doesn't capture certificate / key mismatch, causing the router to misbehave [4.1]
Summary: EXTENDED_VALIDATION doesn't capture certificate / key mismatch, causing the r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.9.0
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: ---
: 4.1.z
Assignee: Dan Mace
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On: 1758373
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-03 23:49 UTC by Miciah Dashiel Butler Masters
Modified: 2019-11-12 12:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1723400
Environment:
Last Closed: 2019-11-12 12:51:51 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift router pull 45 'None' closed Bug 1758374: fix haproxy reload crash when processing ECDSA keys 2020-01-23 19:40:52 UTC
Red Hat Product Errata RHBA-2019:3766 None None None 2019-11-12 12:51:58 UTC

Description Miciah Dashiel Butler Masters 2019-10-03 23:49:51 UTC
+++ This bug was initially created as a clone of Bug #1723400 +++

Description of problem:

Even though the EXTENDED_VALIDATION is set to true, adding a certificate to a specific `route` with the wrong key will cause the `router` to fail during re-load which can impact production services as changes within the service are not properly reflected.

With EXTENDED_VALIDATION on, it's expected to decline such route from being created and prevent the `router` from failing.

Version-Release number of selected component (if applicable):

> oc v3.9.74
> kubernetes v1.9.1+a0ce1bc657
> features: Basic-Auth GSSAPI Kerberos SPNEGO
> 
> Server https://openshift.example.com:443
> openshift v3.9.74
> kubernetes v1.9.1+a0ce1bc657

How reproducible:
Always


Steps to Reproduce:
1. Make sure EXTENDED_VALIDATION is set to `true` on the `router`
2. Create a route with Edge termination set and apply a custom certificate.
3. Add a wrong key for the certificate (not matching) and create the route

Actual results:

`router` is failing to reload and thus apply changes within it's configuration. Error reported by `router` is as following.

E0620 09:53:43.202882       1 limiter.go:137] error reloading router: exit status 1
[ALERT] 170/095343 (13510) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL private key from PEM file '/var/lib/haproxy/router/certs/example-route:wildcard.pem'.
[ALERT] 170/095343 (13510) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 170/095343 (13510) : Fatal errors found in configuration.
E0620 09:54:08.868115       1 limiter.go:137] error reloading router: exit status 1
[ALERT] 170/095408 (13581) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL private key from PEM file '/var/lib/haproxy/router/certs/example-route:wildcard.pem'.
[ALERT] 170/095408 (13581) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 170/095408 (13581) : Fatal errors found in configuration.

Expected results:

`router` to reject the `route` in order to continue to function properly and simply notify the creator of the `route` that it was not possible to create the `route` due to validation error.

Additional info:

Comment 2 Hongan Li 2019-11-05 05:41:44 UTC
verified with 4.1.0-0.nightly-2019-11-01-212340 and issue has been fixed.

Comment 4 errata-xmlrpc 2019-11-12 12:51:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3766


Note You need to log in before you can comment on or make changes to this bug.