StarlingX

Openstack certificate fails to install if Platform certificate is installed in tpm_mode

Bug #1891913 reported by Chris Winnicki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Teresa Ho

Bug Description

Openstack certificate fails to install if Platform certificate is installed in tpm_mode

Brief Description
-----------------
Openstack certificate fails to install if Platform certificate is installed in tpm_mode
Severity

--------
Provide the severity of the defect.
Minor: System/Feature is usable with aworkaround

Steps to Reproduce
------------------
Write down the steps to reproduce the issue
1) Move the system to HTTPS
2) Install the platform cert in tpm_mode
3) Go through the procedure to install openstack ssl
3.1 attempt to install the openstack certificate
* Fails with:

[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-install -m openstack server-with-key.pem
WARNING: For security reasons, the original certificate,
containing the private key, will be removed,
once the private key is processed.
Certificate server-with-key.pem not installed: No openstack certificates have been added, platform SSL certificate is not installed.

[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list
+--------------------------------------+----------+---------------------------+
| uuid | certtype | expiry_date |
+--------------------------------------+----------+---------------------------+
| 779ce724-e0a5-4d5d-afe8-d34b3a122201 | ssl_ca | 2021-06-05T20:28:20+00:00 |
| ec2c3a43-72e6-4ccb-88b3-9cb633c9877d | tpm_mode | 2021-08-10T13:24:58+00:00 |

Expected Behavior
------------------
openstack certificate should install successfully

Actual Behavior
----------------
openstack certificate install is rejected due to:

Reproducibility
---------------
100% (3 of 3)

System Configuration
--------------------
DIO-DX IPv4

Branch/Pull Time/Commit
-----------------------
Wind River Lab: dell-r430-1-2

Load:
BUILD_DATE="2020-08-09 20:01:37 -0400"

Last Pass
---------
not know

Timestamp/Logs
--------------
2020-08-09_20-23-00

Test Activity
-------------
Security testing

Workaround
----------
1) Move the system to HTTPS
2) Install the platform cert into the filesystem (so no TPM)
3) Go through the procedure to install openstack ssl
4)* Reinstall the platform cert in tpm_mode

Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.5.0 / medium priority - appears to be a gap w/ tpm_mode, but likely not a common use-case

Changed in starlingx:
assignee: nobody → Teresa Ho (teresaho)
importance: Undecided → Medium
status: New → Triaged
tags: added: stx.5.0 stx.config stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/747257

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/747257
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=6cb039171bfdc7331ebfd19f4d5e85350de1d71e
Submitter: Zuul
Branch: master

commit 6cb039171bfdc7331ebfd19f4d5e85350de1d71e
Author: Teresa Ho <email address hidden>
Date: Thu Aug 20 10:30:04 2020 -0400

    Added a check for platform certificate in TPM

    The platform certificate can be stored on the controller host or
    in a TPM device. This commit added a check to see if the certificate
    is stored in the TPM device.

    Closes-Bug: 1891913

    Change-Id: Ia05e7eb20b72d9ca2994fc8e2f6d07701d82b68b
    Signed-off-by: Teresa Ho <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.