Bug 1763109 - [downstream clone - 4.3.7] Fix invalid host certificates by filling-in subject alternate name during host upgrade or certificate reenrollment
Summary: [downstream clone - 4.3.7] Fix invalid host certificates by filling-in subjec...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.3.7
: 4.3.7
Assignee: Martin Perina
QA Contact: Petr Matyáš
URL:
Whiteboard:
: 1763108 (view as bug list)
Depends On: 1763084
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-18 09:24 UTC by RHV bug bot
Modified: 2020-02-13 13:51 UTC (History)
5 users (show)

Fixed In Version: ovirt-engine-4.3.7.1
Doc Type: Enhancement
Doc Text:
The following improvements have been made to host certificates used for encrypted communication between the RHV Manager and the Virtual Desktop Server Manager: 1. All newly added host will have certificates with correct SAN field 2. A periodic check for certificate validity is performed and if the SAN field is not populated an error is reported in the audit log, notifying administrators that the host certificate needs to be re-enrolled. 3. The SAN field in the certificate is also checked during host upgrade, so that the host certificate can be re-enrolled during host upgrade.
Clone Of: 1763084
Environment:
Last Closed: 2019-12-12 10:36:35 UTC
oVirt Team: Infra
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:4229 0 None None None 2019-12-12 10:36:54 UTC
oVirt gerrit 103318 0 'None' MERGED ansible: Put host names into SAN in certificates 2021-02-18 10:37:45 UTC
oVirt gerrit 104149 0 'None' MERGED core: Check validity of SAN when check host certificate 2021-02-18 10:37:45 UTC
oVirt gerrit 104151 0 'None' MERGED core: Add HOST_CERTIFICATE_HAS_INVALID_SAN event 2021-02-18 10:37:45 UTC
oVirt gerrit 104183 0 'None' MERGED restapi: Update to model 4.4.10 2021-02-18 10:37:45 UTC
oVirt gerrit 104199 0 'None' MERGED ansible: Put host names into SAN in certificates 2021-02-18 10:37:45 UTC
oVirt gerrit 104200 0 'None' MERGED core: Check validity of SAN when check host certificate 2021-02-18 10:37:45 UTC

Description RHV bug bot 2019-10-18 09:24:53 UTC
+++ This bug is an upstream to downstream clone. The original bug is: +++
+++   bug 1763084 +++
======================================================================

We currently put Hostname/IP into Common Name (CN) in the host
certificate subject.  This is not good for two reasons:

- Using CN for host name matching in certificates is obsolete and
  should be no longer used [1].

- CN may not contain an IP address.

In the latter case, migrations don't work on el8 since libvirt refuses
to connect to a destination host having invalid data in its
certificate.

The correct way to handle the certificates is to put the host name or
IP addresses to the Subject Alternative Name [2].  This is what this
patch does.

[1] http://wiki.cacert.org/FAQ/subjectAltName
[2] https://libvirt.org/remote.html#Remote_TLS_server_certificates

(Originally by Martin Perina)

Comment 2 Martin Perina 2019-10-18 12:31:16 UTC
*** Bug 1763108 has been marked as a duplicate of this bug. ***

Comment 4 Petr Matyáš 2019-11-04 12:15:25 UTC
Verified on ovirt-engine-4.3.7.1-0.1.el7.noarch

Comment 5 RHV bug bot 2019-11-14 11:10:07 UTC
INFO: Bug status (VERIFIED) wasn't changed but the folowing should be fixed:

[Tag 'ovirt-engine-4.3.7.2' doesn't contain patch 'https://gerrit.ovirt.org/104183']
gitweb: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/ovirt-engine-4.3.7.2

For more info please contact: rhv-devops

Comment 6 Nadav Halevy 2019-12-10 12:52:47 UTC
Hi Martin, can you please review this doc text as soon as possible as we need it for errata approval for 4.3.7?


The following improvements have been made to host certificates used for encrypted communication between the RHV Manager and the Virtual Desktop Server Manager:
1. All newly added host will have certificates with correct SAN field
2. A periodic check for certificate validity is performed and if the SAN field is not populated an error is reported in the audit log, notifying administrators that the host certificate needs to be re-enrolled.
3. The SAN field in the certificate is also checked during host upgrade, so that the host certificate can be re-enrolled during host upgrade.

Comment 8 errata-xmlrpc 2019-12-12 10:36:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4229


Note You need to log in before you can comment on or make changes to this bug.