Octavia renders the same SSL certificate for different OpenStack endpoints when using Vault as an intermediate CA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Octavia Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
The certificates for Octavia endpoints are the same for all endpoints (internal, public, admin), which is incorrect. It results in a failed connections to a certain endpoint, because the hostname in CN does not match the hostname in request.
STEPS TO REPRODUCE
1. Deploy OpenStack with Octavia and Vault as an intermediate CA. Create relation "octavia:
2. Set up different hostnames for octavia endpoints, e.g.:
octavia:
options:
os-
os-
os-
3. Verify, that the certificates for different octavia endpoints point to the same file.
sudo cat /etc/apache2/
Listen 9866
<VirtualHost 10.127.1.108:9866>
ServerName octavia-
SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!RC4:
SSLCertific
SSLCertific
ProxyPass / http://
ProxyPassRe
ProxyPreser
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
<VirtualHost 10.127.12.92:9866>
ServerName octavia.example.com
SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!RC4:
SSLCertific
SSLCertific
ProxyPass / http://
ProxyPassRe
ProxyPreser
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
sudo ls -l /etc/apache2/
total 24
-rw-r----- 1 root octavia 1532 Mar 2 08:01 cert_eth2.
lrwxrwxrwx 1 root root 74 Mar 2 06:57 cert_octavia-
lrwxrwxrwx 1 root root 74 Mar 2 06:57 cert_octavia.
-rw-r----- 1 root octavia 1678 Mar 2 08:01 key_eth2.
lrwxrwxrwx 1 root root 73 Mar 2 06:57 key_octavia-
lrwxrwxrwx 1 root root 73 Mar 2 06:57 key_octavia.
4. Verify, that CN in the certificate is missing octavia-
sudo openssl x509 -in /etc/apache2/
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEn
Issuer: CN = Vault Root Certificate Authority (charm-pki-local)
Validity
Not Before: Mar 2 06:56:35 2020 GMT
Not After : Mar 2 05:57:04 2021 GMT
Subject: CN = octavia.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
X509v3 extensions:
X509v3 Key Usage: critical
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
CA Issuers - URI:http://
X509v3 Subject Alternative Name:
X509v3 CRL Distribution Points:
Signature Algorithm: sha256WithRSAEn
5. Trigger a failure due to incorrect certificate. Go to the "Network Topology" in OpenStack Dashboard.
"Network Topology" dashboard fails to load. And in neutron log you can see the following error message:
requests.
WORKAROUND
Configure all Octavia endpoints to point to the same domain, e.g. octavia.
Changed in charm-octavia: | |
importance: | Undecided → Medium |
status: | New → Triaged |
juju run --unit octavia/0 'relation-ids certificates'
certificates:304
juju run --unit octavia/0 'relation-list -r certificates:304'
vault/0
vault/1
vault/2
juju run --unit octavia/0 'relation-get -r certificates:304 - octavia/0' juju-439b02- 25-lxd- 7.example. com": {"sans": ["10.127.2.213"]}, example. com": {"sans": ["10.127.12.42", "10.127.12.92", "octavia. example. com"]}} ' 7754-49b8- ad6d-6e71823c51 93 internal. example. com internal. example. com"]'
cert_requests: '{"eth2.
"octavia.
certificate_name: fe75e775-
common_name: octavia-
egress-subnets: 10.127.2.213/32
ingress-address: 10.127.2.213
private-address: 10.127.2.213
sans: '["10.127.1.108", "10.127.1.42", "octavia-
unit_name: octavia_0