StarlingX

self-signed certificated used after https is enabled requires a Subject Alt Name

Bug #1827229 reported by Allain Legacy
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Teresa Ho

Bug Description

Brief Description
-----------------
When the system is first configured to enable https a self-signed certificate is installed temporarily, and then the public openstack endpoint URLs are updated to use HTTPS rather than HTTP. The self-signed certificate is valid only for CN=*wrs.com and so a remote user must disable SSL/TLS verification in order to make subsequent HTTPS requests to that URL until it can install a proper certificate. Disabling verification defeats the purpose of having a certificate installed in the first place.

A typical error from this scenario is as such (from a Go HTTP client):

   "Post https://10.10.10.2:5000/v3/auth/tokens: x509: cannot validate certificate for 10.10.10.2 because it doesn't contain any IP SANs"

Another example, from wget:

[wrsroot@controller-0 ~(keystone_admin)]$ wget https://10.10.10.2:5000/v3/auth/tokens
--2019-05-01 14:54:35-- https://10.10.10.2:5000/v3/auth/tokens
Connecting to 10.10.10.2:5000... connected.
ERROR: cannot verify 10.10.10.2's certificate, issued by ‘/C=CA/ST=Ontario/L=Ottawa/O=Wind River Inc./OU=Carrier Grade Communications Server/CN=*.wrs.com’:
  Self-signed certificate encountered.
    ERROR: certificate common name ‘*.wrs.com’ doesn't match requested host name ‘10.10.10.2’.
To connect to 10.10.10.2 insecurely, use `--no-check-certificate'.

My opinion, is that the self-signed certificate being used should set the CN to the OAM floating IP address, or include the OAM floating IP in the list of valid Subject Alt Names, or both.

Severity
--------
Critical, this prevents a remote API user from transitioning from HTTP to HTTPS, without disabling TLS/SSL verification.

Steps to Reproduce
------------------
From a remote CLI client,

1) cp /etc/platform/openrc to /home/wrsroot/openrc-public
2) modify openrc-public to change the URL from 192.168.204.2 to 10.10.10.2, and the endpoint/interface references from "internal" to "public"
3) source /home/wrsroot/openrc-public
4) enable https "system modify --https_enabled=true"
5) modify openrc-public to set the URL scheme to HTTPS
6) source /home/wrsroot/openrc-public
7) make any other system command access (i.e., system show)
8) observe an error similar to the ones listed in the description (see above)

Expected Behavior
------------------
The SSL/TLS verification should succeed.

Actual Behavior
----------------
The SSL/TLS verification fails because the certificate does not contain a proper CN or Subject Alt Name.

Reproducibility
---------------
100%

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
2019-04-24

Last Pass
---------
Unknown

Timestamp/Logs
--------------
See above

Test Activity
-------------
Developer Testing.

Revision history for this message
Frank Miller (sensfan22) wrote :

Marking stx.2.0 release gating as https functionality is a release requirement.

Changed in starlingx:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Teresa Ho (teresaho)
tags: added: stx.2.0 stx.retestneeded
Ghada Khalil (gkhalil)
tags: added: stx.config
Teresa Ho (teresaho)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
Allain Legacy (alegacy) wrote :

After further thought and analysis about this issue, we have decided that adding a SAN for the floating IP address in the temporary self-signed certificate adds no value. The preferred approach is to remove the FQDN from the CN so that the client does not attempt to validate against the server's source IP or FQDN at all. The end user can then safely add a custom certificate over the TLS encrypted channel created with the self-signed certificate.

Please regenerate the temporary self-signed certificate so that the Subject attributes are StarlingX specific rather than Wind River specific (e.g., C/ST/L/O/OU/CN), and set the CN=StarlingX.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/668988

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (master)

Reviewed: https://review.opendev.org/668988
Committed: https://git.openstack.org/cgit/starlingx/integ/commit/?id=99b32ff37f7763d92b5a4427f0c07e2967e0b57a
Submitter: Zuul
Branch: master

commit 99b32ff37f7763d92b5a4427f0c07e2967e0b57a
Author: Teresa Ho <email address hidden>
Date: Wed Jul 3 15:15:42 2019 -0400

    Change self-signed certificate

    The self-signed certificate is currently generated with Wind River
    specific info. This commit is to set the common name to StarlingX.

    Closes-Bug: 1827229

    Change-Id: I01f73091e815a0e171b2228cafe5851f4ef49049
    Signed-off-by: Teresa Ho <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Ghada Khalil (gkhalil) wrote :

LP was fixed a long time ago; removing the stx.retestneeded tag

tags: removed: stx.retestneeded
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.