2073607 – Certificate DN is not expanding in the Octavia tenant flow logs

Bug 2073607 - Certificate DN is not expanding in the Octavia tenant flow logs

Summary: Certificate DN is not expanding in the Octavia tenant flow logs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z9
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Tom Weininger
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2117296
TreeView+	depends on / blocked

Reported:	2022-04-08 22:07 UTC by Michael Johnson
Modified:	2022-12-07 20:29 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-11.3.2-1.20220818163240.29a02c1.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2117296 (view as bug list)
Environment:
Last Closed:	2022-12-07 20:29:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	838915	None	MERGED	Use Octavia's own default user_log_format value	2022-05-09 08:59:21 UTC
OpenStack gerrit	840950	None	MERGED	Use Octavia's own default user_log_format value	2022-08-09 12:27:30 UTC
Red Hat Issue Tracker	OSP-14610	None	None	None	2022-04-08 22:12:23 UTC
Red Hat Product Errata	RHSA-2022:8796	None	None	None	2022-12-07 20:29:52 UTC

Description Michael Johnson 2022-04-08 22:07:55 UTC

Description of problem:
The HAProxy tenant flow logs are showing "[ssl_c_s_dn]" instead of the client certificate DN string OSP.

Version-Release number of selected component (if applicable):
16.1.6

How reproducible:
Always

Steps to Reproduce:
1. Create an Octavia amphora load balancer.
2. Create a TLS terminated listener with client authentication enabled.
3. Connect to the load balancer listener with a client authentication certificate.
4. Note that the log entry for the connection shows "[ssl_c_s_dn]" instead of the expect client certificate DN.

Actual results:

Apr  8 13:19:32 amphora-157dcaeb-128b-40f1-9a76-cd76a4b7ec2a haproxy[18066]: 9d53b4ef01874ac9b6f09fee91146b84 3218bf8c-e02f-4f80-af4c-9a28db495d4b cc2be110-8c99-41da-83bd-e3b0ce394129 10.5.26.80 53848 08/Apr/2022:13:19:30.760 r 200 300121 680 0 [ssl_c_s_dn] 78206dd1-c9af-44b3-a92f-5cd1aba53a3e:cc2be110-8c99-41da-83bd-e3b0ce394129 f70a857b-2348-40f3-b4b6-1625eed0efdb 1329 ----

Expected results:
Apr  8 16:26:57 amphora-d5c2b324-12be-4eee-a7b8-7ace88cc55d6 haproxy[3011]: ce3e7b2eeb494c49a7ecfb5af17d1ec8 6cc6421d-bd1d-4478-9f65-03b94dc1ebae 082218d8-aca4-4777-8866-2e5c96999b24 172.24.5.1 57742 08/Apr/2022:16:26:57.544 "GET / HTTP/1.1" 200 147 122 0 "/C=US/ST=Denial/L=Corvallis/O=OpenStack/OU=Octavia/CN=c7fe9b78-c6ae-4af7-a097-c35c20480745" 63f66456-c40e-41a3-9d9c-0e32f59c5357:082218d8-aca4-4777-8866-2e5c96999b24 8d721d43-acfd-496a-88b9-30fc6edbc641 10 ----

Additional info:

This appears to be a downstream only (tripleo?) issue as the upstream barbican gate jobs show the correct output (captured below as the expected result).

Comment 14 errata-xmlrpc 2022-12-07 20:29:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack 16.1.9 (openstack-tripleo-heat-templates) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8796

Note You need to log in before you can comment on or make changes to this bug.