tripleo

TLS everywhere: CRL retrieval fails when FreeIPA is replicated

Bug #1787878 reported by Juan Antonio Osorio Robles on 2018-08-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Juan Antonio Osorio Robles	tripleo stein-1

Bug Description

Fetching the CRL when there's only one FreeIPA instance works; however, when there's a replicated FreeIPA instance, the CRL URL issues a redirect towards the master FreeIPA instance. This new URL, given by the redirect, is the actual URL used by dogtag, which contains some query parameters. Accessing that URL the way puppet does it returns the following error:

Problem Processing your request

    The Certificate Manager encountered a problem while processing your request. the following is a detailed message of the error that occurred.
              you must select an option from the form.
    please consult your local administrator for futher assistant . the Certificate System log may provide further information.

This is because puppet doesn't handle query parameters correctly (or at all), within the "file" resource (which is what we use to fetch the CRL).

Tags:

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-08-20

Changed in tripleo:
milestone:	none → stein-1
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-20: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/593491

Changed in tripleo:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2018-08-20

Changed in tripleo:
assignee:	Juan Antonio Osorio Robles (juan-osorio-robles) → Cédric Jeanneret (cjeanner)

OpenStack Infra (hudson-openstack) on 2018-08-20

Changed in tripleo:
assignee:	Cédric Jeanneret (cjeanner) → Juan Antonio Osorio Robles (juan-osorio-robles)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-23: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/593491
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5d60472d78de5ff531bbf6cace272a939dafb489
Submitter: Zuul
Branch: master

commit 5d60472d78de5ff531bbf6cace272a939dafb489
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Aug 20 08:36:33 2018 +0300

Use exec for CA CRL instead of file resource

    This is because the file resource doesn't properly handle query
    parameters in URLs. So we are forced to use an exec resource here. It's
    fine if we always trigger the CRL downloading, as that's a file that
    gets udpated often.

Also ensure we get proper escaped source/destination for the download.

    Co-Authored-By: Cédric Jeanneret <email address hidden>
    Change-Id: I15ad3ab0cd129a8e1b9261341c0510265bda8016
    Closes-Bug: #1787878

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-23: Fix proposed to puppet-tripleo (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/595509

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-23: Fix proposed to puppet-tripleo (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/595510

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-24: Fix included in openstack/puppet-tripleo 9.3.0

This issue was fixed in the openstack/puppet-tripleo 9.3.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-25: Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/595509
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=ed08695781b8b88f6c010a524cb52293fc06f27e
Submitter: Zuul
Branch: stable/queens

commit ed08695781b8b88f6c010a524cb52293fc06f27e
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Aug 20 08:36:33 2018 +0300

Use exec for CA CRL instead of file resource

Also ensure we get proper escaped source/destination for the download.

    Co-Authored-By: Cédric Jeanneret <email address hidden>
    Change-Id: I15ad3ab0cd129a8e1b9261341c0510265bda8016
    Closes-Bug: #1787878
    (cherry picked from commit 5d60472d78de5ff531bbf6cace272a939dafb489)

tags:	added: in-stable-queens
tags:	added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-25: Fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/595510
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=70307b0db0509f2fc5e25fec5d0f3497a0c3ed4d
Submitter: Zuul
Branch: stable/pike

commit 70307b0db0509f2fc5e25fec5d0f3497a0c3ed4d
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Aug 20 08:36:33 2018 +0300

Use exec for CA CRL instead of file resource

Also ensure we get proper escaped source/destination for the download.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-24: Fix included in openstack/puppet-tripleo 7.4.16

This issue was fixed in the openstack/puppet-tripleo 7.4.16 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-24: Fix included in openstack/puppet-tripleo 8.3.6

This issue was fixed in the openstack/puppet-tripleo 8.3.6 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.