Bug 690430 - [apache] pinging a HTTPS URL fails if the certificate is not trusted by the JVM
Summary: [apache] pinging a HTTPS URL fails if the certificate is not trusted by the JVM
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Plugins
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
medium
medium vote
Target Milestone: ---
: ---
Assignee: RHQ Project Maintainer
QA Contact: Mike Foley
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: jon3 753904
TreeView+ depends on / blocked
 
Reported: 2011-03-24 11:08 UTC by Lukas Krejci
Modified: 2018-11-14 15:02 UTC (History)
5 users (show)

(edit)
Clone Of:
: 769965 (view as bug list)
(edit)
Last Closed: 2013-09-02 07:17:55 UTC


Attachments (Terms of Use)

Description Lukas Krejci 2011-03-24 11:08:28 UTC
Description of problem:

When apache is configured with a self-signed certificate (or just one not trusted by default by the trustore of the JRE executing the RHQ agent) the availability check fails for the apache server resource or any of its virtual hosts if the URL to ping is using the HTTPS protocol.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Configure apache with a self-signed certificate
(in the default fedora installation do the following:
 a) open /etc/httpd/conf.d/ssl.conf
 b) uncomment the "SSLCertificateKeyFile" directive
 c) uncomment the "SSLCACertificateFile" directive
 d) restart apache
)
2. inventory the apache in RHQ
3. change the "URL" property in the connection properties to https:/localhost:443
  
Actual results:
the reported availability goes down

Expected results:
avail stays up

Additional info:

Comment 1 Lukas Krejci 2011-03-24 11:13:37 UTC
It is possible to "switch off" the trust checking using code similar to http://www.exampledepot.com/egs/javax.net.ssl/trustall.html.

We need to make sure that this behavior is configurable in the connection properties.

Comment 2 John Mazzitelli 2011-04-01 15:36:47 UTC
see if we can fix or at minimum document the workarounds somewhere

Comment 4 Larry O'Leary 2011-04-06 17:37:08 UTC
It appears that the proposed resolution to this bug is to add an option to disable SSL certificate validation completely and to trust all certificates. I think this is fine but we need to make sure that the option isn't misused by adding some kind of warning or documentation around the caution of using it.

Additionally, I think we should approach this as two separate options. One to trust all certificates and another to validate the certificate but disable host name validation. This way, users who hit this issue just because the certificate was issued for a public IP but we are using a local IP to talk to Apache, we can more safely ignore the host name check validation issue.

Comment 5 John Sanda 2011-04-07 17:51:23 UTC
Pushed fix to master.

commit: 7e3d9889259a68be7a1461df2ff1908dcc2b8f67

A property named disableCertificateVerification has been added to the Apache
server and vhost resource types. It defaults to false/off. If you enable it,
certificate validation is disabled during availability checks. This is done on
a per-instance basis. In other words, any other components running in the
plugin container that require/use certificate validation should remain
unaffected.

Comment 6 Larry O'Leary 2011-04-08 15:41:45 UTC
For host name verification issue:

Steps to Reproduce:
1. Configure apache with a self-signed certificate using the real host name as the common name (i.e. myhost.domain.com). The host name must be valid and resolvable by DNS. 
(in the default fedora installation do the following:
 a) open /etc/httpd/conf.d/ssl.conf
 b) uncomment the "SSLCertificateKeyFile" directive
 c) uncomment the "SSLCACertificateFile" directive
 d) restart apache
)
2. Install the self-signed public certificate in the JVM's cacerts:
 a) <JRE-path>/bin/keytool -import -keystore "<JRE_path>/lib/security/cacerts" -keypass changeit -alias apachecert -file "/tmp/key.cer" 
3. inventory the apache in RHQ
4. change the "URL" property in the connection properties to
https:/localhost:443

Actual results:
the reported availability goes down

Expected results:
avail stays up


The difference here is that if the correct host name is used (the one used in the certificate) all is well. The objective is to use an alternate host name (one not in the certificate) but still have everything be okay without the need to completely disregard the certificate.

Comment 7 John Sanda 2011-04-11 15:21:16 UTC
Removing the plugin configuration property that disables SSL cert validation for the URL used in availability checks. Cert validation is automatically disabled if the URL is HTTPS.

commit hash: f969d77b1fde23911c544fff01768048cc76c02c

Comment 8 Sunil Kondkar 2011-07-21 12:15:07 UTC
Verified on build209 (Version: 4.1.0-SNAPSHOT Build Number: e7947ed)

Followed the steps and verified that the availability of Apache server stays up.

Marking as verified.

Comment 9 Heiko W. Rupp 2013-09-02 07:17:55 UTC
Bulk closing of issues that were VERIFIED, had no target release and where the status changed more than a year ago.


Note You need to log in before you can comment on or make changes to this bug.