Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Che Theia work when ca.cert doesn't contain complete certificate chain of trust #17938

Closed
mmorhun opened this issue Sep 23, 2020 · 2 comments
Closed

Make Che Theia work when ca.cert doesn't contain complete certificate chain of trust #17938

mmorhun opened this issue Sep 23, 2020 · 2 comments
Assignees
@mmorhun
Labels
area/editor/theia Issues related to the che-theia IDE of Che area/install Issues related to installation, including offline/air gap and initial setup kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.28

Comments

@mmorhun
Copy link
Contributor

mmorhun commented Sep 23, 2020
edited by tolusha
Loading

Is your task related to a problem? Please describe.

Quite often TLS certificate which is used to verify Che endpoints is mounted into /tmp/che/secret/ca.crt in Che Theia container. If ca.crt contains complete certificate chain of trust (including root CA), then everything works fine. But in case when the secret contains incomplete certificate chain of trust (only intermediate CA), then Che Theia cannot connect to Che server and as a result all panels are empty.

Describe the solution you'd like

Che Theia should connect to Che API even if /tmp/che/secret/ca.crt contains only intermediate CA (the root CA is absent)

Additional context

The problem could be resolved with following workarounds (just to understand what's wrong, the fix should be in the code):

  • Remove mount of /tmp/che/secret/ca.crt
  • Adding complete chain of trust into /tmp/che/secret/ca.crt

Testing environment:
Openshift 4.4+ on AWS with Let's Encrypt TLS certificate
@mmorhun mmorhun added kind/task Internal things, technical debt, and to-do tasks to be performed. area/editor/theia Issues related to the che-theia IDE of Che labels Sep 23, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Sep 23, 2020
@tolusha tolusha mentioned this issue Sep 23, 2020
Closed
@tolusha tolusha added kind/bug Outline of a bug - must adhere to the bug report template. and removed kind/task Internal things, technical debt, and to-do tasks to be performed. labels Sep 23, 2020
@tolusha tolusha changed the title Make Che Theia accept commonly trusted certs in ca.crt Make Che Theia works when ca.cert doesn't contain complete certificate chain of trust Sep 23, 2020
@mmorhun mmorhun changed the title Make Che Theia works when ca.cert doesn't contain complete certificate chain of trust Make Che Theia work when ca.cert doesn't contain complete certificate chain of trust Sep 23, 2020
@l0rd l0rd added severity/P2 Has a minor but important impact to the usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Sep 23, 2020
@tolusha tolusha added the area/install Issues related to installation, including offline/air gap and initial setup label Dec 16, 2020
@tolusha tolusha added this to the 7.25 milestone Dec 16, 2020
@tolusha tolusha mentioned this issue Dec 24, 2020
Closed
79 tasks
@tolusha tolusha modified the milestones: 7.25, 7.26 Jan 13, 2021
@tolusha tolusha modified the milestone: 7.27 Feb 2, 2021
@tolusha tolusha added this to the 7.28 milestone Feb 19, 2021
@tolusha tolusha added severity/P1 Has a major impact to usage or development of the system. and removed severity/P2 Has a minor but important impact to the usage or development of the system. labels Feb 24, 2021
@tolusha tolusha mentioned this issue Feb 25, 2021
Closed
70 tasks
@mmorhun mmorhun self-assigned this Mar 3, 2021
@mmorhun
Copy link
Contributor Author

mmorhun commented Mar 3, 2021

I cannot reproduce the issue on Openshift 4.7.0 with default router configured using Let's Encrypt certificate. Additional attempts to query a Che endpoint were successful.
I think the issue was fixed by propagating trusted CA bundle into user workspaces.

@mmorhun mmorhun closed this as completed Mar 3, 2021
@tolusha tolusha reopened this Mar 3, 2021
@tolusha tolusha added sprint/current new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes and removed new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes labels Mar 5, 2021
@tolusha tolusha added new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes and removed team/deploy labels Mar 9, 2021
@tolusha tolusha removed this from the 7.28 milestone Mar 12, 2021
@mmorhun mmorhun mentioned this issue Mar 15, 2021
Merged
11 tasks
This was referenced Mar 18, 2021
Merged
Merged
@tolusha tolusha added kind/task Internal things, technical debt, and to-do tasks to be performed. and removed new&noteworthy For new and/or noteworthy issues that deserve a blog post, new docs, or emphasis in release notes team/deploy kind/bug Outline of a bug - must adhere to the bug report template. labels Mar 19, 2021
@mmorhun
Copy link
Contributor Author

mmorhun commented Mar 19, 2021

In terms of this issue:

  • created patch to Che operator that adds additional cluster-wide CA certificates into Che even if cluster proxy is not configured (in case of Openshift)
  • fixed bug in Che Theia, so now all the propagated bundles are added
  • updated Che doc, added mention about the requirement that some Che components (Che Theia) require full certificates chain in order to trust an endpoint.

However, Che Theia requires to have full certificate chain when verifying an endpoint. This means, that if cluster configured with intermediate CA certificate signed by root one, Che Theia still wants to see the root certificate (However Che server, Keycloak and Openshift itself don't have such a requirement). Investigation showed that such a requirement is caused by axios lib used in Che Theia. This could be easily checked by a simple script (I tried to make it as close to the code in Che Theia as possible):

import axios from 'axios'
import * as tls from 'tls'
import * as https from 'https';
import * as fs from 'fs'

function getAxios() {
  // const caPath = 'root.pem'
  const caPath = 'intermediate.pem'
 
  const certificateAuthority: (string | Buffer)[] = []
  certificateAuthority.push(fs.readFileSync(caPath))
  return axios.create({
    httpsAgent: new https.Agent({
      ca: certificateAuthority,
    }),
  });
}

async function test() {
  const url = 'https://route78zvtq55-myusername-che.apps-crc.testing' // url to Che Theia IDE
  const a = getAxios()
  const response = await a.get(url)
  console.log(response.data)
}

test()

Here, if root is used, then everything works well, but if intermediate certificate is used, axios show error that it cannot verify the chain. This is how axios works (and openssl too). To overcome the problem, it should be replaced with another lib, but here the question arises whether such a move expedient.

@mmorhun mmorhun closed this as completed Mar 22, 2021
@tolusha tolusha added this to the 7.28 milestone Mar 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmorhun mmorhun

Labels
area/editor/theia Issues related to the che-theia IDE of Che area/install Issues related to installation, including offline/air gap and initial setup kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.28
Development

No branches or pull requests
5 participants
@l0rd @azatsarynnyy @tolusha @mmorhun @che-bot