Bug 973219 - httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" warning
Summary: httpd conf should set accurate ServerName to avoid TLS "Unrecognized Name" wa...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 1.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Alex Dellapenta
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On: 970805
Blocks: 957117
TreeView+ depends on / blocked
 
Reported: 2013-06-11 13:33 UTC by Jason DeTiberus
Modified: 2017-03-08 17:35 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 970805
Environment:
Last Closed: 2013-06-24 16:08:11 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBIDE-14760 0 Major Closed Cannot connect to OpenShift Enterprise with hostname: javax.net.ssl.SSLProtocolException (WATCHER) 2020-03-17 06:53:59 UTC

Description Jason DeTiberus 2013-06-11 13:33:16 UTC
+++ This bug was initially created as a clone of Bug #970805 +++

Description of problem:
In the installation scripts and deployment guide, we do not change the ServerName setting for the broker's Apache from the default of 'localhost'.  Consequently, the TLS handshake raises a warning alert.  This warning alert can cause JBoss Developer Studio to report an authentication failure.

Version-Release number of selected component (if applicable):

How reproducible:
Thoroughly.

Steps to Reproduce:
1. Install a new broker host and a new node host using the installation scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.1/enterprise/install-scripts/> (for OSE 1.1), the scripts under <https://github.com/openshift/openshift-extras/blob/enterprise-1.2/enterprise/install-scripts/> (for OSE 1.2), or the deployment guide at <https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html-single/Deployment_Guide/index.html>.

2. Run `httpd -S` on the broker host.

3. Run `tcpdump -lnni eth0 -w /tmp/tcpdump.out tcp port 443` on the broker host, run `curl -k https://broker.example.com/broker/rest/api` on a host that is remote to the broker, and run Wireshark on the resulting tcpdump.out file.

Actual results:

In Step 2, the `httpd -S` output shows 'localhost' for the virtual servers.

In Step 3, Wireshark shows "TLSv1    Alert (Level: Warning, Description: Unrecognized Name), Server Hello, Certificate" in the TLS handshake of every new connection.

Expected results:

In Step 2, the `httpd -S` output should show the configured hostnames for the virtual servers.

In Step 3, Wireshark should not show any warnings or errors in the TLS handshake.


Need to make the following Docs changes (based on the current 1.1 documentation):
Section 5.8.6.2 - Remove '-extensions v3_req' from the openssl command to generate a self signed cert.
Section 6.8.6.1 - Remove '-extensions v3_req' from the openssl command to generate a self signed cert.
Section 6.8.6.1 - Remove the duplicate line '-x509 -days 3650 -extensions v3_req \'

We also need to add a section to both the node and broker configuration to set the ServerName.
Node:
modify /etc/httpd/conf.d/000001_openshift_origin_node.conf
Change ServerName to hosts fqdn or run the following sed command
sed -i -e "s/ServerName .*$/ServerName `hostname`/" \
  /etc/httpd/conf.d/000001_openshift_origin_node.conf

Broker:
modify /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
Change ServerName to hosts fqdn or run the following sed command
sed -i -e "s/ServerName .*$/ServerName `hostname`/" \
  /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf

Comment 2 JBoss JIRA Server 2013-06-13 09:29:44 UTC
Andre Dietisheim <adietish@redhat.com> made a comment on jira JBIDE-14760

Moving this WATCHER to 4.1.x since the root issue in OpenShift Enterprise is fixed but not published/released yet. We keep watching it and will resolve it once we can test against a fixed instance.


Note You need to log in before you can comment on or make changes to this bug.