StarlingX

Error when installing same certificate first as openstack_ca and then as ssl_ca

Bug #1993731 reported by Marcelo de Castro Loebens
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Marcelo de Castro Loebens

Bug Description

Brief Description
-----------------
A warning is shown when a same certificate is installed first as openstack_ca and then as ssl_ca.

Severity
--------
Minor

Steps to Reproduce
------------------
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-install -m openstack_ca cert.pem
+-------------+---------------------------------------------------------------+
| Property | Value |
+-------------+---------------------------------------------------------------+
| uuid | f4dea97b-c1d5-4d7e-9d53-5a483551202b |
| certtype | openstack_ca |
| signature | openstack_ca_290921649885578410804546618028676901342865361490 |
| start_date | 2022-10-19 09:52:17+00:00 |
| expiry_date | 2023-10-19 09:52:17+00:00 |
| subject | CN=internal.daitan.com,OU=Org,O=Daitan,L=Campinas,ST=SP,C=BR |
+-------------+---------------------------------------------------------------+
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-install -m ssl_ca cert.pem
WARNING: Some certificates were not installed.
Cannot install certificate with same subject
Please uninstall the following CA certs that have the same subject first
UUID : f4dea97b-c1d5-4d7e-9d53-5a483551202b

Expected Behavior
------------------
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-install -m openstack_ca cert.pem
+-------------+---------------------------------------------------------------+
| Property | Value |
+-------------+---------------------------------------------------------------+
| uuid | f4dea97b-c1d5-4d7e-9d53-5a483551202b |
| certtype | openstack_ca |
| signature | openstack_ca_290921649885578410804546618028676901342865361490 |
| start_date | 2022-10-19 09:52:17+00:00 |
| expiry_date | 2023-10-19 09:52:17+00:00 |
| subject | CN=internal.daitan.com,OU=Org,O=Daitan,L=Campinas,ST=SP,C=BR |
+-------------+---------------------------------------------------------------+

[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-install -m ssl_ca cert.pem
+-------------+---------------------------------------------------------------+
| Property | Value |
+-------------+---------------------------------------------------------------+
| uuid |xxxxxxxxxxxxxxxxxxxxxxxxxxxxx_new_uuid |
| certtype | ssl_ca |
| signature | ssl_ca_290921649885578410804546618028676901342865361490 |
| start_date | 2022-10-19 09:52:17+00:00 |
| expiry_date | 2023-10-19 09:52:17+00:00 |
| subject | CN=internal.daitan.com,OU=Org,O=Daitan,L=Campinas,ST=SP,C=BR |
+-------------+---------------------------------------------------------------+

Actual Behavior
----------------
Certificate not installed with a error message:

"Cannot install certificate with same subject
Please uninstall the following CA certs that have the same subject first."

Reproducibility
---------------
100% reproducible.

System Configuration
--------------------
simplex, duplex

Branch/Pull Time/Commit
-----------------------
N/A.

Last Pass
---------
N/A.

Timestamp/Logs
--------------
N/A.

Test Activity
-------------
Developer Testing.

Workaround
----------
Change the order.
Install as ssl_ca certificate first then openstack_ca certificate.

Marcelo de Castro Loebens (mdecastr)
Changed in starlingx:
assignee: nobody → Marcelo de Castro Loebens (mdecastr)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/861659
Committed: https://opendev.org/starlingx/config/commit/77bfd8a15fc6fa229c223c4dc8baa65ca49bdf28
Submitter: "Zuul (22348)"
Branch: master

commit 77bfd8a15fc6fa229c223c4dc8baa65ca49bdf28
Author: Marcelo Loebens <email address hidden>
Date: Mon Oct 17 15:22:49 2022 -0400

    Fix duplicate subject issue for SSL_CA certs

    Fixed an issue where SSL_CA certs were considered duplicate
    when installed after other certificate with different
    mode but same subject.

    Test Plan:

    PASS: Install 2 certs with same subject, the first as
          OpenStack_CA mode and the second as SSL_CA. Verify
          the installation as successful.
    PASS: Install 2 certs with same subject, both as SSL_CA.
          Verify the installation is stopped with a warning saying
          "Cannot install certificate with same subject."

    Closes-Bug: 1993731

    Signed-off-by: Marcelo Loebens <email address hidden>
    Change-Id: I9c7fd91a09a0056d08a97505087ccde60b770e5a

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.8.0 stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.