1763109 – [downstream clone - 4.3.7] Fix invalid host certificates by filling-in subject alternate name during host upgrade or certificate reenrollment

Bug 1763109 - [downstream clone - 4.3.7] Fix invalid host certificates by filling-in subject alternate name during host upgrade or certificate reenrollment

Summary: [downstream clone - 4.3.7] Fix invalid host certificates by filling-in subjec...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.3.7
Target Release:	4.3.7
Assignee:	Martin Perina
QA Contact:	Petr Matyáš
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1763108 (view as bug list)
Depends On:	1763084
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-18 09:24 UTC by RHV bug bot
Modified:	2020-02-13 13:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ovirt-engine-4.3.7.1
Doc Type:	Enhancement
Doc Text:	The following improvements have been made to host certificates used for encrypted communication between the RHV Manager and the Virtual Desktop Server Manager: 1. All newly added host will have certificates with correct SAN field 2. A periodic check for certificate validity is performed and if the SAN field is not populated an error is reported in the audit log, notifying administrators that the host certificate needs to be re-enrolled. 3. The SAN field in the certificate is also checked during host upgrade, so that the host certificate can be re-enrolled during host upgrade.
Clone Of:	1763084
Environment:
Last Closed:	2019-12-12 10:36:35 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:4229	None	None	None	2019-12-12 10:36:54 UTC
oVirt gerrit	103318	'None'	MERGED	ansible: Put host names into SAN in certificates	2021-02-18 10:37:45 UTC
oVirt gerrit	104149	'None'	MERGED	core: Check validity of SAN when check host certificate	2021-02-18 10:37:45 UTC
oVirt gerrit	104151	'None'	MERGED	core: Add HOST_CERTIFICATE_HAS_INVALID_SAN event	2021-02-18 10:37:45 UTC
oVirt gerrit	104183	'None'	MERGED	restapi: Update to model 4.4.10	2021-02-18 10:37:45 UTC
oVirt gerrit	104199	'None'	MERGED	ansible: Put host names into SAN in certificates	2021-02-18 10:37:45 UTC
oVirt gerrit	104200	'None'	MERGED	core: Check validity of SAN when check host certificate	2021-02-18 10:37:45 UTC

Description RHV bug bot 2019-10-18 09:24:53 UTC

+++ This bug is an upstream to downstream clone. The original bug is: +++
+++   bug 1763084 +++
======================================================================

We currently put Hostname/IP into Common Name (CN) in the host
certificate subject.  This is not good for two reasons:

- Using CN for host name matching in certificates is obsolete and
  should be no longer used [1].

- CN may not contain an IP address.

In the latter case, migrations don't work on el8 since libvirt refuses
to connect to a destination host having invalid data in its
certificate.

The correct way to handle the certificates is to put the host name or
IP addresses to the Subject Alternative Name [2].  This is what this
patch does.

[1] http://wiki.cacert.org/FAQ/subjectAltName
[2] https://libvirt.org/remote.html#Remote_TLS_server_certificates

(Originally by Martin Perina)

Comment 2 Martin Perina 2019-10-18 12:31:16 UTC

*** Bug 1763108 has been marked as a duplicate of this bug. ***

Comment 4 Petr Matyáš 2019-11-04 12:15:25 UTC

Verified on ovirt-engine-4.3.7.1-0.1.el7.noarch

Comment 5 RHV bug bot 2019-11-14 11:10:07 UTC

INFO: Bug status (VERIFIED) wasn't changed but the folowing should be fixed:

[Tag 'ovirt-engine-4.3.7.2' doesn't contain patch 'https://gerrit.ovirt.org/104183']
gitweb: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/ovirt-engine-4.3.7.2

For more info please contact: rhv-devops

Comment 6 Nadav Halevy 2019-12-10 12:52:47 UTC

Hi Martin, can you please review this doc text as soon as possible as we need it for errata approval for 4.3.7?


The following improvements have been made to host certificates used for encrypted communication between the RHV Manager and the Virtual Desktop Server Manager:
1. All newly added host will have certificates with correct SAN field
2. A periodic check for certificate validity is performed and if the SAN field is not populated an error is reported in the audit log, notifying administrators that the host certificate needs to be re-enrolled.
3. The SAN field in the certificate is also checked during host upgrade, so that the host certificate can be re-enrolled during host upgrade.

Comment 8 errata-xmlrpc 2019-12-12 10:36:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4229

Note You need to log in before you can comment on or make changes to this bug.