tripleo

Certmonger certificate does not include EKUs

Bug #1668775 reported by Dan Trainor on 2017-02-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Dan Trainor	tripleo pike-1 "pike-1"

Bug Description

The SSL certificate requested by tripleo and provided by certmonger does not include two additional EKUs, or Extended Key Usage attributes, required by Firefox's strict reliance[0] on RFC5280 (Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile)[1] when using a self-signed certificate. Other browsers such as Chrome, and most SSL clients, do not have such strict reliance. Without these added EKUs, Firefox will always generate a 'SEC_ERROR_EXTENSION_VALUE_INVALID' error. This happens even before a prompt to accept a certificate of an unknown issuer, so there's no way to just add an exception like we're used to for self-signed certificates.

When the certificate is generated, a default request will generate a certificate with no additional EKUs. The result is a certificate being created without explicitly specifying two additional EKUs that are required by Firefox: id-kp-serverAuth and id-kp-clientAuth.

At the moment there is no supported option to add EKUs at certificate request time in the earsdown/puppet-certmonger Puppet module, however the addition of EKUs is a good candidate for the postsave_cmd used for other certificate preparation that we currently use. A github issue[2] was created to see if adding a parameter to the earsdown/puppet-certmonger module to add EKUs upon creation, can be a more appropriate long-term solution.

Add the required EKUs by modifying instack-haproxy-cert-update to refresh the certificate immediately after creation, to add these EKUs.

---

[0] https://wiki.mozilla.org/SecurityEngineering/x509Certs
[1] https://www.ietf.org/rfc/rfc5280.txt
[2] https://github.com/earsdown/puppet-certmonger/issues/16

See original description

Tags:

Dan Trainor (dtrainor) on 2017-02-28

Changed in tripleo:
assignee:	nobody → Dan Trainor (dtrainor)

Dan Trainor (dtrainor) on 2017-02-28

description:

updated

Julie Pichon (jpichon) on 2017-02-28

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → pike-1
tags:	added: ocata-backport-potential
Changed in tripleo:
milestone:	pike-1 → ocata-rc2

Emilien Macchi (emilienm) on 2017-03-01

Changed in tripleo:
milestone:	ocata-rc2 → pike-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-01: Fix proposed to instack-undercloud (master)

Fix proposed to branch: master
Review: https://review.openstack.org/439746

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-03: Fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/439746
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=48b293dde6b37f944d00595126e1f5bb0a1c5358
Submitter: Jenkins
Branch: master

commit 48b293dde6b37f944d00595126e1f5bb0a1c5358
Author: Dan Trainor <email address hidden>
Date: Wed Mar 1 11:02:32 2017 -0500

Add certificate EKUs to public endpoint cert

    Add EKUS, or Extended Key Usage parameters, of id-kp-clientAuth and
    id-kp-serverAuth to the certificate that certmonge generates, which is
    used by haproxy to proxy public-facing hosts. This is necessary due to
    the criteria by which Firefox and related browsers validate which
    required extensions are acceptable when interpreting a certificate.

Change-Id: Ideec7d23769e68ae1b738c0118ec061b195e3bd7
Closes-Bug: 1668775

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-03: Fix proposed to instack-undercloud (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/441478

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-07: Fix merged to instack-undercloud (stable/ocata)

Reviewed: https://review.openstack.org/441478
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=dd5c68326895f67ee98f26de87849407e5bd868c
Submitter: Jenkins
Branch: stable/ocata

commit dd5c68326895f67ee98f26de87849407e5bd868c
Author: Dan Trainor <email address hidden>
Date: Wed Mar 1 11:02:32 2017 -0500

Add certificate EKUs to public endpoint cert

    Change-Id: Ideec7d23769e68ae1b738c0118ec061b195e3bd7
    Closes-Bug: 1668775
    (cherry picked from commit 48b293dde6b37f944d00595126e1f5bb0a1c5358)