Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1510885

Summary: Cloudforms: Error "does not match the server certificate" while adding hawkular endpoint using custom CA
Product: Red Hat CloudForms Management Engine Reporter: Imaan <ikaur>
Component: ProvidersAssignee: Beni Paskin-Cherniavsky <cben>
Status: CLOSED NOTABUG QA Contact: Einat Pacifici <epacific>
Severity: high Docs Contact:
Priority: high    
Version: 5.8.0CC: bazulay, epacific, fsimonce, gblomqui, jfrey, jhardy, myoder, obarenbo, savsingh
Target Milestone: GA   
Target Release: 5.8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: container
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-21 11:26:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Container Management Target Upstream Version:
Attachments:
Description Flags
hawkular.png
none
default.png none

Description Imaan 2017-11-08 11:53:46 UTC
Created attachment 1349413 [details]
hawkular.png

Description of problem:

While adding hawkular endpoint using custom CA getting host name does not match the server certificate. 


Version-Release number of selected component (if applicable):

5.8.2.3


How reproducible:

Always


Steps to Reproduce:

1. Login to operational portal of CFME

2. Navigate to Compute -> Containers -> Providers -> Configuration -> Add Container Provider -> Click on Hawkular tab -> Select SP "SSL trusting custom CA" -> Specify port (433) and host name -> Paste trusted CA certificates -> Click on validate 

3. It will give "Credential validation was not successful: hostname "hawkular-metrics.apps.gsslab.pnq2.redhat.com" does not match the server certificate"

Refer-- hawkular.png

Actual results: Credential validation was not successful due to mismatch of server certificate error.


Expected results: Credential validation should be successful.


Additional info: Able to validate default endpoints using SSL trusting custom CA.

Navigate to Compute -> Containers -> Providers -> Configuration -> Add Container Provider -> Click on Default tab -> Select SP "SSL trusting custom CA" -> Specify port (8433) and host name -> Paste trusted CA certificates -> Click on validate

Refer-- default.png



Error in evm logs:

[----] W, [2017-11-08T05:59:55.542555 #22563:482a8a8]  WARN -- : MIQ(ManageIQ::Providers::Openshift::ContainerManager#authentication_check_no_validation) type: ["hawkular"] for [78000000000011] [ocp-3.5] Validation failed: error, hostname "hawkular-metrics.apps.gsslab.pnq2.redhat.com" does not match the server certificate
[----] E, [2017-11-08T05:59:55.544637 #22563:482a8a8] ERROR -- : MIQ(ems_container_controller-update): Credential validation was not successful: hostname "hawkular-metrics.apps.gsslab.pnq2.redhat.com" does not match the server certificate

Comment 2 Imaan 2017-11-08 11:54:30 UTC
Created attachment 1349414 [details]
default.png

Comment 6 Savitoj Singh 2017-11-10 10:01:55 UTC
I started investigating this issue and here are my findings:

As mentioned in the error it's clear that, where hawkular terminates has a default router's certificate, which has a CN=router.default.svc

# echo q | openssl s_client -connect hawkular-metrics.apps.gsslab.pnq2.redhat.com:443 2>&1 | openssl x509 -noout -subject

subject= /CN=router.default.svc

But CN mentioned is: hawkular-metrics.apps.gsslab.pnq2.redhat.com

CFME expects hawkular-metrics.apps.gsslab.pnq2.redhat.com in the CN of the router endpoint service.

It seems that, You need to create the certs by providing the openshift_metrics_hawkular_ca, openshift_metrics_hawkular_cert and openshift_metrics_hawkular_key option in inventory files, Otherwise it will use router's certificate by default.

https://docs.openshift.com/container-platform/3.6/install_config/cluster_metrics.html
https://docs.openshift.com/container-platform/3.6/install_config/cluster_metrics.html#metrics-using-secrets-byo-certs
https://docs.openshift.com/container-platform/3.6/install_config/cluster_metrics.html#metrics-ansible-variables

Comment 7 Beni Paskin-Cherniavsky 2017-11-12 10:41:26 UTC
Customer case has been closed, my instructrions to add certificate to hawkular-metrics route, or a wildcard default certificate helped.

Is there something distinct we need to solve here, or can we NOTABUG this?

It shouldn't even be necessary to specify certs in openshift-ansible inventory; it has been fixed to generate a wildcard default router cert by default:
https://github.com/openshift/openshift-ansible/pull/3821
https://github.com/openshift/openshift-ansible/pull/4120
=> in openshift-ansible 3.7, 3.6.17-1 and later, and on release-1.5 branch but not sure if any releases.