Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Route certificate ignored #11361

Closed
mvlach opened this issue Oct 13, 2016 · 15 comments
Closed

Route certificate ignored #11361

mvlach opened this issue Oct 13, 2016 · 15 comments
Assignees
@knobunc @weliang1
Labels
component/routing lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/P2

Comments

@mvlach
Copy link

mvlach commented Oct 13, 2016
edited
Loading

When I changed the certificate for the edge termination type, certificate didn't changed. Router still serves the default certificate.

Version

oc v1.3.0
kubernetes v1.3.0+52492b4
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server ********
openshift v1.3.0
kubernetes v1.3.0+52492b4

Steps To Reproduce
  1. create master + node from the ansible - specify the default router certificate
  2. create a route
  3. change route (specify other certificate)
Current Result

Old certificate is returned

Expected Result

The new certificate will be returned
@knobunc knobunc assigned knobunc and weliang1 and unassigned knobunc Oct 14, 2016
@knobunc
Copy link
Contributor

knobunc commented Oct 14, 2016

@weliang1 can you reproduce this please?

@mvlach
Copy link
Author

mvlach commented Oct 14, 2016

Maybe this can help...

https://lists.openshift.redhat.com/openshift-archives/users/2016-October/msg00130.html

@knobunc
Copy link
Contributor

knobunc commented Oct 14, 2016

Thanks @mvlach. @ramr can you see if your other changes will have resolved this?

@weliang1
Copy link

@knobunc let me try

@weliang1
Copy link

Follow above steps, I can replicate same issue in my env:

[root@ip-172-18-8-180 ~]# CA=/etc/origin/master
[root@ip-172-18-8-180 ~]# oadm ca create-server-cert --signer-cert=$CA/ca.crt \

  --signer-key=$CA/ca.key --signer-serial=$CA/ca.serial.txt \
  --hostnames='hello-openshift.com' \
  --cert=cloudapps.crt --key=cloudapps.key

[root@ip-172-18-8-180 ~]# cat cloudapps.crt cloudapps.key $CA/ca.crt > cloudapps.router.pem
[root@ip-172-18-8-180 ~]# oc new-project https
Now using project "https" on server "https://ip-172-18-8-180.ec2.internal:8443".

You can add applications to this project with the 'new-app' command. For example, try:

oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.
[root@ip-172-18-8-180 ~]# oadm policy add-scc-to-user privileged -z https-user
[root@ip-172-18-8-180 ~]# oadm router router1 --replicas=1 --service-account=https-user -n https --host-network=true --default-cert=cloudapps.router.pem
info: password for stats user admin has been set to fJxKsjo0Cx
--> Creating router router1 ...
secret "router1-certs" created
serviceaccount "https-user" created
error: rolebinding "router-router1-role" already exists
deploymentconfig "router1" created
service "router1" created
--> Failed
[root@ip-172-18-8-180 ~]# oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/test50.json
route "route-1" created
service "endpoints" created
pod "endpoint-1" created
[root@ip-172-18-8-180 ~]#
[root@ip-172-18-8-180 ~]# curl --resolve hello-openshift.com:443:172.18.0.203 https://hello-openshift.com --cacert cloudapps.router.pem -vvI

  • Added hello-openshift.com:443:172.18.0.203 to DNS cache
  • About to connect() to hello-openshift.com port 443 (#0)
  • Trying 172.18.0.203...
  • Connected to hello-openshift.com (172.18.0.203) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: cloudapps.router.pem
    CApath: none
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Server certificate:
  • subject: CN=hello-openshift.com
  • start date: Oct 14 20:29:39 2016 GMT
  • expire date: Oct 14 20:29:40 2018 GMT
  • common name: hello-openshift.com
  • issuer: CN=openshift-signer@1476454220

HEAD / HTTP/1.1
User-Agent: curl/7.29.0
Host: hello-openshift.com
Accept: /

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 14 Oct 2016 20:31:02 GMT
Date: Fri, 14 Oct 2016 20:31:02 GMT
< Content-Length: 17
Content-Length: 17
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< Set-Cookie: f5e796f4ec45a2ffe9e31550d256219b=d4ece23b270c46f66c1f289397a4d854; path=/; HttpOnly
Set-Cookie: f5e796f4ec45a2ffe9e31550d256219b=d4ece23b270c46f66c1f289397a4d854; path=/; HttpOnly
< Cache-control: private
Cache-control: private

<

  • Connection #0 to host hello-openshift.com left intact
    [root@ip-172-18-8-180 ~]# curl --resolve hello-openshift.com:443:172.18.0.203 https://hello-openshift.com --cacert cloudapps.router.pem
    Hello OpenShift!
    [root@ip-172-18-8-180 ~]#

    Edit route to have new certificate

    [root@ip-172-18-8-180 ~]# oc get route
    NAME HOST/PORT PATH SERVICES PORT TERMINATION
    route-1 hello-openshift.com endpoints edge
    [root@ip-172-18-8-180 ~]# oc edit route route-1
    route "route-1" edited
    [root@ip-172-18-8-180 ~]#
    [root@ip-172-18-8-180 ~]# curl --resolve hello-openshift.com:443:172.18.0.203 https://hello-openshift.com --cacert cloudapps.router.pem
    Hello OpenShift!
    [root@ip-172-18-8-180 ~]# curl --resolve hello-openshift.com:443:172.18.0.203 https://hello-openshift.com --cacert cloudapps.router.pem -vvI
  • Added hello-openshift.com:443:172.18.0.203 to DNS cache
  • About to connect() to hello-openshift.com port 443 (#0)
  • Trying 172.18.0.203...
  • Connected to hello-openshift.com (172.18.0.203) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: cloudapps.router.pem
    CApath: none
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Server certificate:
  • subject: CN=hello-openshift.com
  • start date: Oct 14 20:29:39 2016 GMT
  • expire date: Oct 14 20:29:40 2018 GMT
  • common name: hello-openshift.com
  • issuer: CN=openshift-signer@1476454220

HEAD / HTTP/1.1
User-Agent: curl/7.29.0
Host: hello-openshift.com
Accept: /

< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 14 Oct 2016 20:34:07 GMT
Date: Fri, 14 Oct 2016 20:34:07 GMT
< Content-Length: 17
Content-Length: 17
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< Set-Cookie: f5e796f4ec45a2ffe9e31550d256219b=d4ece23b270c46f66c1f289397a4d854; path=/; HttpOnly
Set-Cookie: f5e796f4ec45a2ffe9e31550d256219b=d4ece23b270c46f66c1f289397a4d854; path=/; HttpOnly
< Cache-control: private
Cache-control: private

<

  • Connection #0 to host hello-openshift.com left intact
    [root@ip-172-18-8-180 ~]#
    [root@ip-172-18-8-180 ~]# oc version
    oc v3.3.1.1
    kubernetes v1.3.0+52492b4
    features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ip-172-18-8-180.ec2.internal:8443
openshift v3.3.1.1
kubernetes v1.3.0+52492b4
[root@ip-172-18-8-180 ~]#

@ramr
Copy link
Contributor

ramr commented Oct 15, 2016

@mvlach so when you used the default certificate - was it a wildcard one (e.g. *.router.test)? If so, then the route's certificate will be secondary (if its in the same subdomain as the wildcard - example foo.router.test) on the list and won't be used.

@weliang1 your test https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/test50.json doesn't specify any custom certificates, so the defaults would always be used.

@ramr
Copy link
Contributor

ramr commented Oct 15, 2016

@mvlach aah just saw your mailing list message as well. So here's a simple test I wrote up:
https://github.com/ramr/router-default-cert-test

The test assumes you have a service setup called header-test-insecure -- if you use something else, make sure you edit the routes or the json config files (route-using-custom-cert.json and route-using-default-cert.json).

If you set it all up properly, here's the output that you should see:

$ curl -s -k -v --resolve custom.cert.test:443:127.0.0.1 https://custom.cert.test/ 2>&1 | egrep -e 'subject|issuer|Host'  
* Hostname custom.cert.test was found in DNS cache  
*   subject: OU=OpenShift3,O=Security,C=US,ST=CA,CN=header.test  
*   issuer: CN=header.test CA,OU=OpenShift3 test CA,O=Security,ST=CA,C=US  
> Host: custom.cert.test  

$ curl -s -k -v --resolve default-router.cert.test:443:127.0.0.1 https://default-router.cert.test/ 2>&1 | egrep -e 'subject|issuer|Host'  
* Hostname default-router.cert.test was found in DNS cache  
*   subject: CN=router.test,OU=OpenShift3,O=Security,ST=CA,C=US  
*   issuer: CN=router.test,OU=OpenShift3,O=Security,ST=CA,C=US  
> Host: default-router.cert.test

As you can see the custom.cert.test returns the certificate for header.test. And the other host returns the default router cert issued to router.test.

@mvlach
Copy link
Author

mvlach commented Oct 15, 2016
edited
Loading

@ramr yes all certificates was wildcard. We changed the certificate because of alphaSSL certification authority problems. The problem I think is only with wildcard certificates. HAProxy pick the first eligible certificate.

@ramr
Copy link
Contributor

ramr commented Oct 15, 2016

@mvlach yeah if they are all wildcard (for the same subdomain ala *.co.tld), then HAProxy would pick the first eligible certificate. So if the default certificate is a wildcard certificate as an example for *.co.tld, then the cert from route www.co.tld would not be used because the wildcard cert would be the first match.

Now there have been some changes recently onhow the certs are presented and used since PR #11217 merged. This is on master though and assuming you want a default certificate to be used if nothing matches, one solution I can think of is:

  1. use the latest code.
  2. Set the default certificate to something other than a wildcard.
  3. Either modify the haproxy images - custom dockerfile to also add your wildcard certificate to a well known place/path or you could also do it via a secret and mount that secret into the router container. If you do an oc edit dc/router, you should be able to see how the router-secrets get used/mounted.
    The main thing here is to get the wildcard certificate into a well known place/path inside the router container (let's say its at /opt/router/custom.cert).
  4. Modify the haproxy config template to also write a line at the end for your default cert.
    Example: add a line /opt/router/custom.cert *.co.tld after the end of the range loop at:
    https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template#L570

HTH

@weliang1
Copy link

@ramr my test log is not in good format and you will not see it clearly until you click edit button, after "oc create -f https://raw.githubusercontent.com/weliang1/Openshift_Networking/master/test50.json", I did "oc edit route xxx" to a specify other certificate, according to @mvlach, the new certificate should be returned, but it did not.

I did not use wildcard certificate, I used exactly host name as shown in my test log above.

@ramr
Copy link
Contributor

ramr commented Oct 17, 2016

@weliang1 works for me - I created a sample repo for testing this:
https://github.com/ramr/router-default-cert-test

Its a bit rough in that it expects a service setup called header-test-insecure but you can always edit the the routes or the json config files (route-using-custom-cert.json and route-using-default-cert.json) to specify a different route.Spec.To service. Thx

@weliang1
Copy link

@ramr after reconfiguring my services/pods/routes json file, I make it work fine in my env too.

@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 8, 2018
@openshift-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci-robot openshift-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 11, 2018
@openshift-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@knobunc knobunc

@weliang1 weliang1

Labels
component/routing lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@danmcp @ramr @openshift-bot @mvlach @knobunc @weliang1 @openshift-ci-robot