StarlingX

DC: certificate warning returned when execute system command against subcloud on system controller

Bug #1886708 reported by Yang Liu
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
Following warning is returned when running a system command for subcoud from system controller.
Admin endpoint was used as os auth url.

[sysadmin@controller-0 ~(keystone_admin)]$ system --os-auth-url https://[fd01:12::2]:5001/v3 --os-region-name subcloud1 host-list
/usr/lib/python2.7/site-packages/urllib3/connection.py:344: SubjectAltNameWarning: Certificate for fd01:12::2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)

As per Greg:
subcloud1-adminep-certificate not have the SANs list

From Andy:
I think that's a bug with the cert. We didn't pay a lot of attention to RFC2818, where looks like subjectAltName is checked before CN.

   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.
But I didn't see in it if the SAN is ipAddress, what should be checked first ... I assume SAN should always checked before CN.

Severity
--------
Major

Steps to Reproduce
------------------
- Install and configured a DC system with subclouds
- On DC system controller, run a system command for subcloud region using subcloud admin endpoint for authentication
e.g.,
system --os-auth-url https://[fd01:12::2]:5001/v3 --os-region-name subcloud1 host-list

Expected Behavior
------------------
- cmd runs successfully without any warning

Actual Behavior
----------------
- cmd was successful, but additional certificate warning displayed

Reproducibility
---------------
[Reproducible/Intermittent]

System Configuration
--------------------
Distributed Cloud

Branch/Pull Time/Commit
-----------------------
"2020-06-27_18-35-20"

Last Pass
---------
Unknown

Timestamp/Logs
--------------

[sysadmin@controller-0 ~(keystone_admin)]$ system --os-auth-url https://[fd01:12::2]:5001/v3 --os-region-name subcloud1 host-list; date
/usr/lib/python2.7/site-packages/urllib3/connection.py:344: SubjectAltNameWarning: Certificate for fd01:12::2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
+----+--------------+-------------+----------------+-------------+--------------+
| id | hostname | personality | administrative | operational | availability |
+----+--------------+-------------+----------------+-------------+--------------+
| 1 | controller-0 | controller | unlocked | enabled | available |
+----+--------------+-------------+----------------+-------------+--------------+
Tue Jul 7 19:15:38 UTC 2020

Test Activity
-------------
Normal use

Frank Miller (sensfan22)
Changed in starlingx:
status: New → Triaged
importance: Undecided → Medium
tags: added: stx.5.0 stx.distcloud
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/747971

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

Note: The issue here is a warning being displayed. The cmd is still successful.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/762536

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/747971
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=d25523555268e31c3b2ae9b87b43aceaeac61675
Submitter: Zuul
Branch: master

commit d25523555268e31c3b2ae9b87b43aceaeac61675
Author: Andy Ning <email address hidden>
Date: Tue Aug 25 09:31:20 2020 -0400

    Add subjectAltName to admin endpoint certificate

    Currently admin endpoint certificate in DC system doesn't have
    subjectAltName. This will cause sysinv command like
    "system --os-auth-url <subcloud admin endpoint> --os-region-name
    <subcloud> host-list" to generate warning message, that the certificate
    has no "subjectAltName" and falling back to check "commonName".

    More information can found in RFC2818 regarding to commonName and
    subjectAltName in certificate verification.

    Change-Id: I7c2d857e209bacfa2dea5d40cf4bcaaa648b1b04
    Closes-Bug: 1886708
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/762536
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=0b723e81aac8ae68ef1bb604a14c05792d41f73e
Submitter: Zuul
Branch: master

commit 0b723e81aac8ae68ef1bb604a14c05792d41f73e
Author: Andy Ning <email address hidden>
Date: Fri Oct 30 17:22:46 2020 -0400

    Add SANs to admin endpoint certificate during upgrade

    Added an upgrade script to update subcloud admin endpoint certificate
    with mgmt IP as an subjectAltName.

    Change-Id: I58af3e97de2e8de10810fd47b8d1a0bfcfbd2269
    Closes-Bug: 1886708
    Signed-off-by: Andy Ning <email address hidden>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.