Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1510885 - Cloudforms: Error "does not match the server certificate" while adding hawkular endpoint using custom CA
Summary: Cloudforms: Error "does not match the server certificate" while adding hawkul...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.8.3
Assignee: Beni Paskin-Cherniavsky
QA Contact: Einat Pacifici
URL:
Whiteboard: container
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-08 11:53 UTC by Imaan
Modified: 2017-12-05 15:42 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-21 11:26:37 UTC
Category: ---
Cloudforms Team: Container Management


Attachments (Terms of Use)
hawkular.png (deleted)
2017-11-08 11:53 UTC, Imaan
no flags Details
default.png (deleted)
2017-11-08 11:54 UTC, Imaan
no flags Details

Description Imaan 2017-11-08 11:53:46 UTC
Created attachment 1349413 [details]
hawkular.png

Description of problem:

While adding hawkular endpoint using custom CA getting host name does not match the server certificate. 


Version-Release number of selected component (if applicable):

5.8.2.3


How reproducible:

Always


Steps to Reproduce:

1. Login to operational portal of CFME

2. Navigate to Compute -> Containers -> Providers -> Configuration -> Add Container Provider -> Click on Hawkular tab -> Select SP "SSL trusting custom CA" -> Specify port (433) and host name -> Paste trusted CA certificates -> Click on validate 

3. It will give "Credential validation was not successful: hostname "hawkular-metrics.apps.gsslab.pnq2.redhat.com" does not match the server certificate"

Refer-- hawkular.png

Actual results: Credential validation was not successful due to mismatch of server certificate error.


Expected results: Credential validation should be successful.


Additional info: Able to validate default endpoints using SSL trusting custom CA.

Navigate to Compute -> Containers -> Providers -> Configuration -> Add Container Provider -> Click on Default tab -> Select SP "SSL trusting custom CA" -> Specify port (8433) and host name -> Paste trusted CA certificates -> Click on validate

Refer-- default.png



Error in evm logs:

[----] W, [2017-11-08T05:59:55.542555 #22563:482a8a8]  WARN -- : MIQ(ManageIQ::Providers::Openshift::ContainerManager#authentication_check_no_validation) type: ["hawkular"] for [78000000000011] [ocp-3.5] Validation failed: error, hostname "hawkular-metrics.apps.gsslab.pnq2.redhat.com" does not match the server certificate
[----] E, [2017-11-08T05:59:55.544637 #22563:482a8a8] ERROR -- : MIQ(ems_container_controller-update): Credential validation was not successful: hostname "hawkular-metrics.apps.gsslab.pnq2.redhat.com" does not match the server certificate

Comment 2 Imaan 2017-11-08 11:54:30 UTC
Created attachment 1349414 [details]
default.png

Comment 6 Savitoj Singh 2017-11-10 10:01:55 UTC
I started investigating this issue and here are my findings:

As mentioned in the error it's clear that, where hawkular terminates has a default router's certificate, which has a CN=router.default.svc

# echo q | openssl s_client -connect hawkular-metrics.apps.gsslab.pnq2.redhat.com:443 2>&1 | openssl x509 -noout -subject

subject= /CN=router.default.svc

But CN mentioned is: hawkular-metrics.apps.gsslab.pnq2.redhat.com

CFME expects hawkular-metrics.apps.gsslab.pnq2.redhat.com in the CN of the router endpoint service.

It seems that, You need to create the certs by providing the openshift_metrics_hawkular_ca, openshift_metrics_hawkular_cert and openshift_metrics_hawkular_key option in inventory files, Otherwise it will use router's certificate by default.

https://docs.openshift.com/container-platform/3.6/install_config/cluster_metrics.html
https://docs.openshift.com/container-platform/3.6/install_config/cluster_metrics.html#metrics-using-secrets-byo-certs
https://docs.openshift.com/container-platform/3.6/install_config/cluster_metrics.html#metrics-ansible-variables

Comment 7 Beni Paskin-Cherniavsky 2017-11-12 10:41:26 UTC
Customer case has been closed, my instructrions to add certificate to hawkular-metrics route, or a wildcard default certificate helped.

Is there something distinct we need to solve here, or can we NOTABUG this?

It shouldn't even be necessary to specify certs in openshift-ansible inventory; it has been fixed to generate a wildcard default router cert by default:
https://github.com/openshift/openshift-ansible/pull/3821
https://github.com/openshift/openshift-ansible/pull/4120
=> in openshift-ansible 3.7, 3.6.17-1 and later, and on release-1.5 branch but not sure if any releases.


Note You need to log in before you can comment on or make changes to this bug.