Red Hat Bugzilla – Bug 973219
httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" warning
Last modified: 2017-03-08 12:35 EST
+++ This bug was initially created as a clone of Bug #970805 +++ Description of problem: In the installation scripts and deployment guide, we do not change the ServerName setting for the broker's Apache from the default of 'localhost'. Consequently, the TLS handshake raises a warning alert. This warning alert can cause JBoss Developer Studio to report an authentication failure. Version-Release number of selected component (if applicable): How reproducible: Thoroughly. Steps to Reproduce: 1. Install a new broker host and a new node host using the installation scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.1/enterprise/install-scripts/> (for OSE 1.1), the scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.2/enterprise/install-scripts/> (for OSE 1.2), or the deployment guide at <https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html-single/Deployment_Guide/index.html>. 2. Run `httpd -S` on the broker host. 3. Run `tcpdump -lnni eth0 -w /tmp/tcpdump.out tcp port 443` on the broker host, run `curl -k https://broker.example.com/broker/rest/api` on a host that is remote to the broker, and run Wireshark on the resulting tcpdump.out file. Actual results: In Step 2, the `httpd -S` output shows 'localhost' for the virtual servers. In Step 3, Wireshark shows "TLSv1 Alert (Level: Warning, Description: Unrecognized Name), Server Hello, Certificate" in the TLS handshake of every new connection. Expected results: In Step 2, the `httpd -S` output should show the configured hostnames for the virtual servers. In Step 3, Wireshark should not show any warnings or errors in the TLS handshake. Need to make the following Docs changes (based on the current 1.1 documentation): Section 5.8.6.2 - Remove '-extensions v3_req' from the openssl command to generate a self signed cert. Section 6.8.6.1 - Remove '-extensions v3_req' from the openssl command to generate a self signed cert. Section 6.8.6.1 - Remove the duplicate line '-x509 -days 3650 -extensions v3_req \' We also need to add a section to both the node and broker configuration to set the ServerName. Node: modify /etc/httpd/conf.d/000001_openshift_origin_node.conf Change ServerName to hosts fqdn or run the following sed command sed -i -e "s/ServerName .*$/ServerName `hostname`/" \ /etc/httpd/conf.d/000001_openshift_origin_node.conf Broker: modify /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf Change ServerName to hosts fqdn or run the following sed command sed -i -e "s/ServerName .*$/ServerName `hostname`/" \ /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
Andre Dietisheim <adietish@redhat.com> made a comment on jira JBIDE-14760 Moving this WATCHER to 4.1.x since the root issue in OpenShift Enterprise is fixed but not published/released yet. We keep watching it and will resolve it once we can test against a fixed instance.