tripleo

Recommend using SAN instead of SSL CommonName

Bug #1906387 reported by Brendan Shephard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Brendan Shephard

Bug Description

Description:
Currently, our documentation suggests that operators create SSL certificates using just the CommonName to identify the intended host:
https://opendev.org/openstack/tripleo-docs/src/branch/master/deploy-guide/source/features/ssl.rst#user-content-overcloud-ssl

Problem:
Usage of the CommonName field alone has been considered deprecated and not best practise for some time now. Rather, the use of SAN's should be implemented to identify the intended server. For example, using a SAN to designate the host overcloud.example.com, rather than relying on the CommonName. Some issues are starting to arise because of this, for example when deploying OKD (OpenShift), the latest version of GO has deprecated the use of CommonNames:
https://golang.org/doc/go1.15#commonname

So multiple services will be failing and the installer will complain during the installation. The errors look like so:

❯ oc logs image-registry-549db88f59-dnkb9 ─╯
time="2020-12-01T10:07:31.532850244Z" level=info msg="start registry" distribution_version=v2.6.0+unknown go.version=go1.15.0 openshift_version=v3.11.0+077ff76-186-dirty
time="2020-12-01T10:07:31.535200927Z" level=info msg="caching project quota objects with TTL 1m0s" go.version=go1.15.0
panic: Swift authentication failed: Post "https://openstack.bne-home.net:13000/v3/auth/tokens": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

This is fairly simple to solve, you just need to create a SSL cert using SANs and apply it to HAProxy. So, I propose we change our recommendation in the documentation to suggest the use of SANs to comply with best practise.

The CA cert generation can stay the same, but I propose we change the leaf certificate part to the following process:

Create server.csr.cnf:
```
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=AU
ST=Queensland
L=Brisbane
O=bne-home
OU=admin
<email address hidden>
CN=openstack.bne-home.net
```

Create v3.ext:
```
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1=openstack.bne-home.net
```

Create key:
```
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )
```

Create Cert:
```
openssl x509 -req -in server.csr -CA overcloud-cacert.pem -CAkey overcloud-ca-privkey.pem -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
```

But before I send a git review, I wanted to get some feedback and thoughts on the proposal?

Revision history for this message
Brendan Shephard (bshephar) wrote :

Proposed change:
https://review.opendev.org/c/openstack/tripleo-docs/+/771901

Revision history for this message
Brendan Shephard (bshephar) wrote :

Reference to deprecated standard for commonName:
https://tools.ietf.org/html/rfc6125

Brendan Shephard (bshephar)
Changed in tripleo:
assignee: nobody → Brendan Shephard (bshephar)
Brendan Shephard (bshephar)
Changed in tripleo:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.