StarlingX

https self-signed certificate expires prior to a year from system install

Bug #1944438 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Andy

Bug Description

Brief Description
-----------------
The https self-signed certificate comes with the installation has one year valid time, but on some systems it expired before the system is one year old.

This is because the self-signed certificate is generated at build time and embedded in the ISO.

Severity
--------
Minor

Steps to Reproduce
------------------
- Install a system (any configuration)
- Check the "Not After" Validity of the /etc/ssl/private/self-signed-server-cert.pem

Expected Behavior
------------------
The self signed certificate's "Not After" is at least one year from the installation time.

Actual Behavior
----------------
The self signed certificate's "Not After" is less than one year from the installation time.

Reproducibility
---------------
100%

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
stx master latest

Last Pass
---------
New test scenario.

Timestamp/Logs
--------------
controller-0:/home/sysadmin# openssl x509 -in /etc/ssl/private/self-signed-server-cert.pem -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            d9:86:4b:79:11:33:ef:51
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=StarlingX
        Validity
            Not Before: Jun 9 23:39:53 2021 GMT
            Not After : Jun 9 23:39:53 2022 GMT
        Subject: CN=StarlingX

Then use "rpm -qi setup" to find the installation time.
controller-0:/home/sysadmin# rpm -qi setup
Name : setup
Version : 2.8.71
Release : 10.el7.tis.11
Architecture: noarch
Install Date: Fri 17 Sep 2021 10:39:59 PM UTC

Test Activity
-------------
Developer test

Workaround
----------
Install new ssl certificate.

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/810263

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to utilities (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/utilities/+/810266

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/810263
Committed: https://opendev.org/starlingx/config/commit/8a95a6b171053e7a569076d00fc945d8358e6eab
Submitter: "Zuul (22348)"
Branch: master

commit 8a95a6b171053e7a569076d00fc945d8358e6eab
Author: Andy Ning <email address hidden>
Date: Tue Sep 21 10:26:14 2021 -0400

    Generate self-signed certificate when https is enabled

    Currently the self-signed certificate used as the REST API/GUI
    server certificate for the first time HTTPS is enabled is generate
    at build time and embedded in the ISO. This will make it expire less
    than a year from the date the system is installed.

    This change removed the certificate generation at build time, instead
    generate it at the first time HTTPS is enabled.

    Closes-Bug: 1944438
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: Ife274cb1b61a76827e27678760e2c90bfdec90ab

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/810266
Committed: https://opendev.org/starlingx/utilities/commit/32b8dfda6f0007da6643dac5611a27550477d4ab
Submitter: "Zuul (22348)"
Branch: master

commit 32b8dfda6f0007da6643dac5611a27550477d4ab
Author: Andy Ning <email address hidden>
Date: Tue Sep 21 10:33:41 2021 -0400

    Generate self-signed certificate when https is enabled

    Currently the self-signed certificate used as the REST API/GUI
    server certificate for the first time HTTPS is enabled is generate
    at build time and embedded in the ISO. This will make it expire less
    than a year from the date the system is installed.

    This change removed the certificate generation at build time, instead
    generate it at the first time HTTPS is enabled.

    Closes-Bug: 1944438
    Depends-On: https://review.opendev.org/c/starlingx/config/+/810263
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: I7835534c11df3b03ea8e6f6ea7e88878386bcc12

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.6.0 stx.config stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.