Bug 690430 - [apache] pinging a HTTPS URL fails if the certificate is not trusted by the JVM
[apache] pinging a HTTPS URL fails if the certificate is not trusted by the JVM
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Plugins (Show other bugs)
4.0.0
Unspecified Unspecified
medium Severity medium (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
Mike Foley
:
Depends On:
Blocks: jon3 753904
  Show dependency treegraph
 
Reported: 2011-03-24 07:08 EDT by Lukas Krejci
Modified: 2013-09-02 03:17 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 769965 (view as bug list)
Environment:
Last Closed: 2013-09-02 03:17:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Krejci 2011-03-24 07:08:28 EDT
Description of problem:

When apache is configured with a self-signed certificate (or just one not trusted by default by the trustore of the JRE executing the RHQ agent) the availability check fails for the apache server resource or any of its virtual hosts if the URL to ping is using the HTTPS protocol.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Configure apache with a self-signed certificate
(in the default fedora installation do the following:
 a) open /etc/httpd/conf.d/ssl.conf
 b) uncomment the "SSLCertificateKeyFile" directive
 c) uncomment the "SSLCACertificateFile" directive
 d) restart apache
)
2. inventory the apache in RHQ
3. change the "URL" property in the connection properties to https:/localhost:443
  
Actual results:
the reported availability goes down

Expected results:
avail stays up

Additional info:
Comment 1 Lukas Krejci 2011-03-24 07:13:37 EDT
It is possible to "switch off" the trust checking using code similar to http://www.exampledepot.com/egs/javax.net.ssl/trustall.html.

We need to make sure that this behavior is configurable in the connection properties.
Comment 2 John Mazzitelli 2011-04-01 11:36:47 EDT
see if we can fix or at minimum document the workarounds somewhere
Comment 4 Larry O'Leary 2011-04-06 13:37:08 EDT
It appears that the proposed resolution to this bug is to add an option to disable SSL certificate validation completely and to trust all certificates. I think this is fine but we need to make sure that the option isn't misused by adding some kind of warning or documentation around the caution of using it.

Additionally, I think we should approach this as two separate options. One to trust all certificates and another to validate the certificate but disable host name validation. This way, users who hit this issue just because the certificate was issued for a public IP but we are using a local IP to talk to Apache, we can more safely ignore the host name check validation issue.
Comment 5 John Sanda 2011-04-07 13:51:23 EDT
Pushed fix to master.

commit: 7e3d9889259a68be7a1461df2ff1908dcc2b8f67

A property named disableCertificateVerification has been added to the Apache
server and vhost resource types. It defaults to false/off. If you enable it,
certificate validation is disabled during availability checks. This is done on
a per-instance basis. In other words, any other components running in the
plugin container that require/use certificate validation should remain
unaffected.
Comment 6 Larry O'Leary 2011-04-08 11:41:45 EDT
For host name verification issue:

Steps to Reproduce:
1. Configure apache with a self-signed certificate using the real host name as the common name (i.e. myhost.domain.com). The host name must be valid and resolvable by DNS. 
(in the default fedora installation do the following:
 a) open /etc/httpd/conf.d/ssl.conf
 b) uncomment the "SSLCertificateKeyFile" directive
 c) uncomment the "SSLCACertificateFile" directive
 d) restart apache
)
2. Install the self-signed public certificate in the JVM's cacerts:
 a) <JRE-path>/bin/keytool -import -keystore "<JRE_path>/lib/security/cacerts" -keypass changeit -alias apachecert -file "/tmp/key.cer" 
3. inventory the apache in RHQ
4. change the "URL" property in the connection properties to
https:/localhost:443

Actual results:
the reported availability goes down

Expected results:
avail stays up


The difference here is that if the correct host name is used (the one used in the certificate) all is well. The objective is to use an alternate host name (one not in the certificate) but still have everything be okay without the need to completely disregard the certificate.
Comment 7 John Sanda 2011-04-11 11:21:16 EDT
Removing the plugin configuration property that disables SSL cert validation for the URL used in availability checks. Cert validation is automatically disabled if the URL is HTTPS.

commit hash: f969d77b1fde23911c544fff01768048cc76c02c
Comment 8 Sunil Kondkar 2011-07-21 08:15:07 EDT
Verified on build209 (Version: 4.1.0-SNAPSHOT Build Number: e7947ed)

Followed the steps and verified that the availability of Apache server stays up.

Marking as verified.
Comment 9 Heiko W. Rupp 2013-09-02 03:17:55 EDT
Bulk closing of issues that were VERIFIED, had no target release and where the status changed more than a year ago.

Note You need to log in before you can comment on or make changes to this bug.