Created attachment 680105 [details] screen shot of certificate Description of problem: Add ssl-cert to an application with custom domain name, access custom domain name via https, a certificate is shown up, which is from OpenShift instead of the user's added one. Version-Release number of selected component (if applicable): fork_ami_refctr1_420 How reproducible: Always Steps to Reproduce: 1. Create an application and add alias, add app's ip and alias to /etc/hosts rhc app create jbas jbossas-7 rhc alias add jbas jbas.jhou.com 2. Generate private key and certificate, actually, the Certificate Signing Request has content like below: -------------------------------- Common Name: jhou Organization: QE Organization Unit: OP Locality: Beijing State: BJ Country: CH Email: jhou ------------------------------------- 3. Add ssl-cert with oo-ssl-cert-add oo-ssl-cert-add --with-container-uuid 04d9cbfcdd7e439eb02ca69d2ee55f93 --with-container-name jbas --with-namespace 426t3 --with-alias-name jbas.jhou.com --with-ssl-cert server.crt --with-priv-key server.key Enter pass phrase for /var/lib/openshift/.httpd.d/04d9cbfcdd7e439eb02ca69d2ee55f93_426t3_jbas.jhou.com/server.key: 4. Access app via https and custom domain name(alias) Open browser, visit https://jbas.jhou.com/ Actual results: After step 4, a certificate is shown up, but the content indicate it's generated by OpenShift, not the specific one I have generated, please see attachment Expected results: The contents shown up in certificate should be consistent with the one created by the user. Additional info:
The screenshot is of browser requesting you to upload a cert not the cert it is presenting. Most likely because of the passphrase that I have added a check now to disallow. Here is a sample usage, that shows it works: First we add a cert and see that we get foo.example.com cert that I created. After removing the cert we get "SomeOrganization" cert which is the default on devenvs. [root@ip-10-39-127-191 ~]# oo-ssl-cert-add -a testjb1.com -c 4ee69f5ea99c4c748db3fea2fa97eea4 --with-namespace testssl5 --with-container-name jb1 -s ~/server.crt -k ~/server.key [root@ip-10-39-127-191 ~]# [root@ip-10-39-127-191 ~]# [root@ip-10-39-127-191 ~]# curl -k -vvv https://testjb1.com > /dev/null* About to connect() to testjb1.com port 443 (#0) * Trying 127.0.0.1... connected * Connected to testjb1.com (127.0.0.1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: E=admin,CN=foo.example.com,OU=Cloud,O="Example, Inc.",L=Mountain View,ST=California,C=US * start date: Jan 15 00:37:22 2013 GMT * expire date: Jan 15 00:37:22 2014 GMT * common name: foo.example.com * issuer: E=admin,CN=foo.example.com,OU=Cloud,O="Example, Inc.",L=Mountain View,ST=California,C=US > GET / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > Host: testjb1.com > Accept: */* > % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< HTTP/1.1 200 OK < Date: Thu, 17 Jan 2013 20:16:13 GMT < Server: Apache-Coyote/1.1 < Accept-Ranges: bytes < ETag: W/"6756-1358448810000" < Last-Modified: Thu, 17 Jan 2013 18:53:30 GMT < Content-Type: text/html; charset=UTF-8 < Content-Length: 6756 < Vary: Accept-Encoding,User-Agent < Strict-Transport-Security: max-age=15768000 < ProxyTime: D=2817 < { [data not shown] 100 6756 100 6756 0 0 108k 0 --:--:-- --:--:-- --:--:-- 1649k* Connection #0 to host testjb1.com left intact * Closing connection #0 [root@ip-10-39-127-191 ~]# oo-ssl-cert-remove -a testjb1.com -c 4ee69f5ea99c4c748db3fea2fa97eea4 --with-namespace testssl5 --with-container-name jb1 -s server.crt -k server.key [root@ip-10-39-127-191 ~]# [root@ip-10-39-127-191 ~]# curl -k -vvv https://testjb1.com > /dev/null* About to connect() to testjb1.com port 443 (#0) * Trying 127.0.0.1... connected * Connected to testjb1.com (127.0.0.1) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: E=root@ip-10-40-214-87,CN=ip-10-40-214-87,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- * start date: Jan 13 05:28:36 2013 GMT * expire date: Jan 13 05:28:36 2014 GMT * common name: ip-10-40-214-87 * issuer: E=root@ip-10-40-214-87,CN=ip-10-40-214-87,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- > GET / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > Host: testjb1.com > Accept: */* > < HTTP/1.1 200 OK < Date: Thu, 17 Jan 2013 20:17:51 GMT < Server: Apache-Coyote/1.1 < Accept-Ranges: bytes < ETag: W/"6756-1358448810000" < Last-Modified: Thu, 17 Jan 2013 18:53:30 GMT < Content-Type: text/html; charset=UTF-8 < Content-Length: 6756 < Vary: Accept-Encoding,User-Agent < Strict-Transport-Security: max-age=15768000 < ProxyTime: D=3787 < % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 6756 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0{ [data not shown] 100 6756 100 6756 0 0 114k 0 --:--:-- --:--:-- --:--:-- 6597k* Connection #0 to host testjb1.com left intact * Closing connection #0
Verified on fork_ami_US1262_SNI_432 With curl, I am able to confirm it's using the certificate I have added, Thanks! root@ip-10-4-23-141 apps]# oo-ssl-cert-add --with-container-name php1 --with-container-uuid c1cb7e53a57a4d759b760860eff26ee0 --with-namespace 432t --with-alias-name php1.jhou.com --with-ssl-cert server.crt --with-priv-key server.key hjw@hjw ~$ curl -k -vvv https://php1.jhou.com/ > /dev/null * About to connect() to php1.jhou.com port 443 (#0) * Trying 107.20.98.122... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* connected * Connected to php1.jhou.com (107.20.98.122) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: E=jhou,CN=jhou,OU=QE,O=RedHat,L=Beijing,ST=BJ,C=CH * start date: Jan 18 02:00:08 2013 GMT * expire date: Jan 18 02:00:08 2014 GMT * common name: jhou * issuer: E=jhou,CN=jhou,OU=QE,O=RedHat,L=Beijing,ST=BJ,C=CH > GET / HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-redhat-linux-gnu) libcurl/7.24.0 NSS/3.13.5.0 zlib/1.2.5 libidn/1.24 libssh2/1.4.1 > Host: php1.jhou.com > Accept: */* > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< HTTP/1.1 200 OK < Date: Fri, 18 Jan 2013 02:16:55 GMT < Server: Apache/2.2.15 (Red Hat) < Content-Length: 5231 < Content-Type: text/html; charset=UTF-8 < Vary: Accept-Encoding,User-Agent < Strict-Transport-Security: max-age=15768000 < ProxyTime: D=16533 < { [data not shown] 100 5231 100 5231 0 0 4291 0 0:00:01 0:00:01 --:--:-- 5488 * Connection #0 to host php1.jhou.com left intact * Closing connection #0 [root@ip-10-4-23-141 apps]# oo-ssl-cert-remove --with-container-name php1 --with-container-uuid c1cb7e53a57a4d759b760860eff26ee0 --with-namespace 432t --with-alias-name php1.jhou.com --with-ssl-cert server.crt --with-priv-key server.key hjw@hjw ~$ curl -k -vvv https://php1.jhou.com/ > /dev/null * About to connect() to php1.jhou.com port 443 (#0) * Trying 107.20.98.122... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* connected * Connected to php1.jhou.com (107.20.98.122) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: E=root@ip-10-40-214-87,CN=ip-10-40-214-87,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- * start date: Jan 13 05:28:36 2013 GMT * expire date: Jan 13 05:28:36 2014 GMT * common name: ip-10-40-214-87 * issuer: E=root@ip-10-40-214-87,CN=ip-10-40-214-87,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- > GET / HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-redhat-linux-gnu) libcurl/7.24.0 NSS/3.13.5.0 zlib/1.2.5 libidn/1.24 libssh2/1.4.1 > Host: php1.jhou.com > Accept: */* > < HTTP/1.1 200 OK < Date: Fri, 18 Jan 2013 02:21:47 GMT < Server: Apache/2.2.15 (Red Hat) < Content-Length: 5231 < Content-Type: text/html; charset=UTF-8 < Vary: Accept-Encoding,User-Agent < Strict-Transport-Security: max-age=15768000 < ProxyTime: D=15917 < 0 5231 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0{ [data not shown] 100 5231 100 5231 0 0 4489 0 0:00:01 0:00:01 --:--:-- 5851 * Connection #0 to host php1.jhou.com left intact * Closing connection #0