StackLight

Wildcard certificates unsupported

Bug #1608665 reported by Nickita Zaporozhets on 2016-08-01

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	StackLight	Fix Released	High	guillaume thouvenin	StackLight 1.0.0
	0.10	Fix Released	Undecided	Unassigned	StackLight 0.10.1

Bug Description

Deployment fails when trying to use wildcard certificates for TLS(any module – grafana, nagios, etc).

Puppet log:

2016-07-28T01:03:50.381743+00:00 err: Found *.lab.customerdomain.com as CN whereas 'mvp1-nagios.lab.customerdomain.com' was expected at /etc/fuel/plugins/lma_infrastructure_alerting-0.10/puppet/manifests/validate_certificate.pp:23 on node node72.lab.customerdomain.com

astute:

2016-07-28 01:03:52 ERROR [32574] Task '{"priority"=>600, "type"=>"puppet", "id"=>"lma-alerting-validate-certificate", "parameters"=>{"puppet_modules"=>"puppet/modules:/etc/puppet/modules", "puppet_manifest"=>"puppet/manifests/validate_certificate.pp", "timeout"=>120, "cwd"=>"/etc/fuel/plugins/lma_infrastructure_alerting-0.10/"}, "uids"=>["6"]}' failed on node 6
2016-07-28 01:03:52 ERROR [32574] No more tasks will be executed on the node 6
2016-07-28 01:03:52 DEBUG [32574] Task time summary: lma-alerting-validate-certificate with status error on node 6 took 00:00:06
2016-07-28 01:03:52 DEBUG [32574] Data received by DeploymentProxyReporter to report it up:
{"nodes"=>
  [{"uid"=>"6",
    "status"=>"error",
    "error_type"=>"deploy",
    "role"=>"primary-infrastructure_alerting",
    "task"=>
     {"priority"=>600,
      "type"=>"puppet",
      "id"=>"lma-alerting-validate-certificate",
      "parameters"=>
       {"puppet_modules"=>"puppet/modules:/etc/puppet/modules",
        "puppet_manifest"=>"puppet/manifests/validate_certificate.pp",
        "timeout"=>120,
        "cwd"=>"/etc/fuel/plugins/lma_infrastructure_alerting-0.10/"},
      "uids"=>["6"]}}]}

Tags:

Simon Pasquier (simon-pasquier) on 2016-08-02

Changed in lma-toolchain:
status:	New → Confirmed
assignee:	nobody → LMA-Toolchain Fuel Plugins (mos-lma-toolchain)

Revision history for this message

Denis Klepikov (dklepikov) wrote on 2016-08-02:

High due to customer-found

Changed in lma-toolchain:
importance:	Undecided → High

Revision history for this message

guillaume thouvenin (guillaume-thouvenin) wrote on 2016-08-09:

Yes this error is expected because in the validation we check that the CN found in the certificate contains the hostname of the node that is running nagios. I will check but we could probably modify this check to support wildcard.

Revision history for this message

guillaume thouvenin (guillaume-thouvenin) wrote on 2016-08-09:

The function that validates the certificate can be found on the node in /etc/fuel/plugins/lma_infrastructure_alerting-0.10/puppet/modules/lma_infra_alerting/lib/puppet/parser/functions/validate_ssl_certificate.rb
You can modify it by removing the following line:

raise "Found #{cn_found} as CN whereas '#{args[1]}' was expected" unless cn_found == args[1]

Revision history for this message

guillaume thouvenin (guillaume-thouvenin) wrote on 2016-08-09:

NOTE: do the same thing for other plugins (elastic and influx).

guillaume thouvenin (guillaume-thouvenin) on 2016-08-09

Changed in lma-toolchain:
assignee:	LMA-Toolchain Fuel Plugins (mos-lma-toolchain) → guillaume thouvenin (guillaume-thouvenin)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-09: Fix proposed to fuel-plugin-lma-infrastructure-alerting (master)

Fix proposed to branch: master
Review: https://review.openstack.org/352860

Changed in lma-toolchain:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-09: Fix proposed to fuel-plugin-elasticsearch-kibana (master)

Fix proposed to branch: master
Review: https://review.openstack.org/352861

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-09: Fix proposed to fuel-plugin-influxdb-grafana (master)

Fix proposed to branch: master
Review: https://review.openstack.org/352862

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix merged to fuel-plugin-influxdb-grafana (master)

Reviewed: https://review.openstack.org/352862
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-influxdb-grafana/commit/?id=d1a7b16528affcf3dedffd5dd7cc4a39836d08ba
Submitter: Jenkins
Branch: master

commit d1a7b16528affcf3dedffd5dd7cc4a39836d08ba
Author: Guillaume Thouvenin <email address hidden>
Date: Tue Aug 9 13:33:40 2016 +0200

Modify the check of the hostname in SSL certificate

This patch modifies the check of the hostname within the SSL certificate
to support certificate with wildcard.

Change-Id: Ib4670f87cd2cc907bfd708692e93dd7cc3181f90
Closes-Bug: #1608665

Changed in lma-toolchain:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix merged to fuel-plugin-elasticsearch-kibana (master)

Reviewed: https://review.openstack.org/352861
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-elasticsearch-kibana/commit/?id=f4352e7767ea4c5b9e5efcd333d6dedb8ce33445
Submitter: Jenkins
Branch: master

commit f4352e7767ea4c5b9e5efcd333d6dedb8ce33445
Author: Guillaume Thouvenin <email address hidden>
Date: Tue Aug 9 13:29:10 2016 +0200

Modify the check of the hostname in SSL certificate

This patch modifies the check of the hostname within the SSL certificate
to support certificate with wildcard.

Change-Id: I7b4ef37e0b8e90c4767c3711e00a888b95495043
Closes-Bug: #1608665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix merged to fuel-plugin-lma-infrastructure-alerting (master)

#10

Reviewed: https://review.openstack.org/352860
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-lma-infrastructure-alerting/commit/?id=c0cf72fccc7b03f4a0949f0885087182018455a6
Submitter: Jenkins
Branch: master

commit c0cf72fccc7b03f4a0949f0885087182018455a6
Author: Guillaume Thouvenin <email address hidden>
Date: Tue Aug 9 13:32:09 2016 +0200

Modify the check of the hostname in SSL certificate

This patch modifies the check of the hostname in the SSL certificate
to support certificate with wildcard.

Change-Id: Ib2da2fd4bcb103ca9bbe1a892afdb4cf01c59b05
Closes-Bug: #1608665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix proposed to fuel-plugin-influxdb-grafana (stable/0.10)

#11

Fix proposed to branch: stable/0.10
Review: https://review.openstack.org/356494

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix proposed to fuel-plugin-elasticsearch-kibana (stable/0.10)

#12

Fix proposed to branch: stable/0.10
Review: https://review.openstack.org/356495

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix proposed to fuel-plugin-lma-infrastructure-alerting (stable/0.10)

#13

Fix proposed to branch: stable/0.10
Review: https://review.openstack.org/356497

guillaume thouvenin (guillaume-thouvenin) on 2016-08-17

Changed in lma-toolchain:
milestone:	none → 1.0.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix merged to fuel-plugin-influxdb-grafana (stable/0.10)

#14

Reviewed: https://review.openstack.org/356494
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-influxdb-grafana/commit/?id=2c7d87cadeb16db6ce04eba1c9380d950c75ede6
Submitter: Jenkins
Branch: stable/0.10

commit 2c7d87cadeb16db6ce04eba1c9380d950c75ede6
Author: Guillaume Thouvenin <email address hidden>
Date: Tue Aug 9 13:33:40 2016 +0200

Modify the check of the hostname in SSL certificate

This patch modifies the check of the hostname within the SSL certificate
to support certificate with wildcard.

    Change-Id: Ib4670f87cd2cc907bfd708692e93dd7cc3181f90
    Closes-Bug: #1608665
    (cherry picked from commit d1a7b16528affcf3dedffd5dd7cc4a39836d08ba)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix merged to fuel-plugin-lma-infrastructure-alerting (stable/0.10)

#15

Reviewed: https://review.openstack.org/356497
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-lma-infrastructure-alerting/commit/?id=2fc72150f9b9e379d652937694a7b9e84264a3c7
Submitter: Jenkins
Branch: stable/0.10

commit 2fc72150f9b9e379d652937694a7b9e84264a3c7
Author: Guillaume Thouvenin <email address hidden>
Date: Tue Aug 9 13:32:09 2016 +0200

Modify the check of the hostname in SSL certificate

This patch modifies the check of the hostname in the SSL certificate
to support certificate with wildcard.

    Change-Id: Ib2da2fd4bcb103ca9bbe1a892afdb4cf01c59b05
    Closes-Bug: #1608665
    (cherry picked from commit c0cf72fccc7b03f4a0949f0885087182018455a6)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix merged to fuel-plugin-elasticsearch-kibana (stable/0.10)

#16

Reviewed: https://review.openstack.org/356495
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-elasticsearch-kibana/commit/?id=5228d9957aa45c6f68e094902b221689e56c64c2
Submitter: Jenkins
Branch: stable/0.10

commit 5228d9957aa45c6f68e094902b221689e56c64c2
Author: Guillaume Thouvenin <email address hidden>
Date: Tue Aug 9 13:29:10 2016 +0200

Modify the check of the hostname in SSL certificate

This patch modifies the check of the hostname within the SSL certificate
to support certificate with wildcard.

    Change-Id: I7b4ef37e0b8e90c4767c3711e00a888b95495043
    Closes-Bug: #1608665
    (cherry picked from commit f4352e7767ea4c5b9e5efcd333d6dedb8ce33445)

Simon Pasquier (simon-pasquier) on 2017-02-21

Changed in lma-toolchain:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.