Fuel for OpenStack

haproxy fails with imtermediate CA bundle

Bug #1604930 reported by Ed Byrne
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Invalid
Medium
Maksim Malchuk
Fuel for OpenStack 10.0
Mitaka
Invalid
Medium
Maksim Malchuk
Fuel for OpenStack 9.1

Bug Description

I created a cert bundle containing cert, private key, and intermediate CA bundle and used this for my cert in fuel. Deploying fails because haproxy doesn't like the cert. If I strip the intermedia CA out, haproxy starts without errors. Of course, then neutron fails because the cert is invalid, so this is not a solution either.

Tags: area-library
Alex Schultz (alex-schultz)
no longer affects: mos
Maksim Malchuk (mmalchuk)
Changed in fuel:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Fuel Sustaining (fuel-sustaining-team)
milestone: none → 10.0
tags: added: area-library
Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Ed Byrne, could you please provide the Fuel version you use or at least show output of the command: haproxy -vv
AFAIK, haproxy compiled with USE_OPENSSL=1 should correctly handle concatenated ssl certs.

Changed in fuel:
assignee: Fuel Sustaining (fuel-sustaining-team) → Maksim Malchuk (mmalchuk)
status: Confirmed → Incomplete
Revision history for this message
Ed Byrne (ubuntu-peo) wrote :

This is MOS/Fuel 9.0

HA-Proxy version 1.5.3 2014/07/25
Copyright 2000-2014 Willy Tarreau <w@1wt.eu>

Build options :
  TARGET = linux2628
  CPU = generic
  CC = gcc
  CFLAGS = -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
Running on OpenSSL version : OpenSSL 1.0.1f 6 Jan 2014
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.31 2012-07-06
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300, test result OK
       poll : pref=200, test result OK
     select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Ed Byrne, thanks for update, will check with my own cert bundle containing the intermediate CA.

Changed in fuel:
status: Incomplete → Triaged
Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Ed Byrne, everything works perfect, cluster deployment is done without any errors.
Haproxy works well, SSL active and certificate valid:

root@ctrl1:~# cat /etc/haproxy/conf.d/017-horizon-ssl.cfg

listen horizon-ssl
  bind 172.16.0.3:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem no-sslv3 no-tls-tickets
  balance source
  mode http
  option forwardfor
  option httpchk
  option httpclose
  option httplog
  reqadd X-Forwarded-Proto:\ https
  stick on src
  stick-table type ip size 200k expire 30m
  timeout client 3h
  timeout server 3h
  server node-1 192.168.0.7:80 weight 1 check
  server node-5 192.168.0.6:80 weight 1 check
  server node-6 192.168.0.4:80 weight 1 check
root@ctrl1:~# grep ^-- /var/lib/astute/haproxy/public_haproxy.pem
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
root@ctrl1:~# openssl s_client -connect 172.16.0.3:443 | head
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000003)

Tested on both 9.0 GA and 10.0 custom from the master.
Tested with the StartCom Class 2 wildcard certificate.

Certificate for upload created by adding all needed in the chain:

# cat star.domain.com.pem sca.server2.crt ca-sha2.crt star.domain.com.key >star.domain.com.crt

Changed in fuel:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.