Bug 973219 - httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" warning
httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" wa...
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
1.2.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Alex Dellapenta
ecs-bugs
:
Depends On: 970805
Blocks: 957117
  Show dependency treegraph
 
Reported: 2013-06-11 09:33 EDT by Jason DeTiberus
Modified: 2017-03-08 12 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 970805
Environment:
Last Closed: 2013-06-24 12:08:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBIDE-14760 Major Closed Cannot connect to OpenShift Enterprise with hostname: javax.net.ssl.SSLProtocolException (WATCHER) 2016-03-30 02:20 EDT

  None (edit)
Description Jason DeTiberus 2013-06-11 09:33:16 EDT
+++ This bug was initially created as a clone of Bug #970805 +++

Description of problem:
In the installation scripts and deployment guide, we do not change the ServerName setting for the broker's Apache from the default of 'localhost'.  Consequently, the TLS handshake raises a warning alert.  This warning alert can cause JBoss Developer Studio to report an authentication failure.

Version-Release number of selected component (if applicable):

How reproducible:
Thoroughly.

Steps to Reproduce:
1. Install a new broker host and a new node host using the installation scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.1/enterprise/install-scripts/> (for OSE 1.1), the scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.2/enterprise/install-scripts/> (for OSE 1.2), or the deployment guide at <https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html-single/Deployment_Guide/index.html>.

2. Run `httpd -S` on the broker host.

3. Run `tcpdump -lnni eth0 -w /tmp/tcpdump.out tcp port 443` on the broker host, run `curl -k https://broker.example.com/broker/rest/api` on a host that is remote to the broker, and run Wireshark on the resulting tcpdump.out file.

Actual results:

In Step 2, the `httpd -S` output shows 'localhost' for the virtual servers.

In Step 3, Wireshark shows "TLSv1    Alert (Level: Warning, Description: Unrecognized Name), Server Hello, Certificate" in the TLS handshake of every new connection.

Expected results:

In Step 2, the `httpd -S` output should show the configured hostnames for the virtual servers.

In Step 3, Wireshark should not show any warnings or errors in the TLS handshake.


Need to make the following Docs changes (based on the current 1.1 documentation):
Section 5.8.6.2 - Remove '-extensions v3_req' from the openssl command to generate a self signed cert.
Section 6.8.6.1 - Remove '-extensions v3_req' from the openssl command to generate a self signed cert.
Section 6.8.6.1 - Remove the duplicate line '-x509 -days 3650 -extensions v3_req \'

We also need to add a section to both the node and broker configuration to set the ServerName.
Node:
modify /etc/httpd/conf.d/000001_openshift_origin_node.conf
Change ServerName to hosts fqdn or run the following sed command
sed -i -e "s/ServerName .*$/ServerName `hostname`/" \
  /etc/httpd/conf.d/000001_openshift_origin_node.conf

Broker:
modify /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
Change ServerName to hosts fqdn or run the following sed command
sed -i -e "s/ServerName .*$/ServerName `hostname`/" \
  /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
Comment 2 JBoss JIRA Server 2013-06-13 05:29:44 EDT
Andre Dietisheim <adietish@redhat.com> made a comment on jira JBIDE-14760

Moving this WATCHER to 4.1.x since the root issue in OpenShift Enterprise is fixed but not published/released yet. We keep watching it and will resolve it once we can test against a fixed instance.

Note You need to log in before you can comment on or make changes to this bug.