github.com/openshift/installer@v1.4.17/docs/user/openstack/invalid-https-certificates.md

github.com/openshift/installer@v1.4.17/docs/user/openstack/invalid-https-certificates.md (about)

     1  # OpenShift 4.10 refuses legacy HTTPS certificates
     2  
     3  With OpenShift v4.10, HTTPS certificates not using the `Subject Alternative Names` fields will be rejected. Upgrades will be blocked if such certificates are detected in some areas; however OpenShift will not automatically check the underlying OpenStack infrastructure prior to upgrading or installing. This is what the following instructions will walk you through doing.
     4  
     5  ---
     6  
     7  A script provided below automates the operation. However, it requires to have a set of tools available (including a relatively recent version of `python3-openstackclient`). To manually check your OpenStack infrastructure:
     8  
     9  1. Collect the URL of the OpenStack public endpoints with `openstack catalog list` (HTTP (unsecured) endpoints do not need to be checked)
    10  2. For each public HTTPS endpoint: collect the host (by removing the scheme, the port and the path) and the port
    11  3. Run this openssl command to extract the SAN field of the certificate:
    12  
    13  ```plaintext
    14  host=<the host part of the URL>
    15  port=<the port part of the URL; 443 if unspecified>
    16  openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null \
    17      | openssl x509 -noout -ext subjectAltName
    18  ```
    19  
    20  If the output resembles this, the certificate is OK:
    21  ```plaintext
    22  X509v3 Subject Alternative Name:
    23      DNS:yout.host.example.net
    24  ```
    25  
    26  If instead there is no output, then the certificate is invalid and it needs to be re-issued.
    27  
    28  ---
    29  
    30  This script automatically checks and reports on all HTTPS endpoints in an OpenStack catalog. Populate the environment with OpenStack credentials for the target cloud, then run the following Bash script.
    31  
    32  Requirements:
    33  * Bash v4+
    34  * grep
    35  * [Python OpenStack client][openstack-cli] v4+
    36  * [jq][jq]
    37  * [openssl 1.1.1l+][openssl]
    38  
    39  ```bash
    40  #!/usr/bin/env bash
    41  
    42  set -Eeuo pipefail
    43  
    44  declare catalog san
    45  catalog="$(mktemp)"
    46  san="$(mktemp)"
    47  readonly catalog san
    48  
    49  declare invalid=0
    50  
    51  openstack catalog list --format json --column Name --column Endpoints \
    52  	| jq -r '.[] | .Name as $name | .Endpoints[] | select(.interface=="public") | [$name, .interface, .url] | join(" ")' \
    53  	| sort \
    54  	> "$catalog"
    55  
    56  while read -r name interface url; do
    57  	# Ignore HTTP
    58  	if [[ ${url#"http://"} != "$url" ]]; then
    59  		continue
    60  	fi
    61  
    62  	# Remove the schema from the URL
    63  	noschema=${url#"https://"}
    64  	
    65  	# If the schema was not HTTPS, error
    66  	if [[ "$noschema" == "$url" ]]; then
    67  		echo "ERROR (unknown schema): $name $interface $url"
    68  		exit 2
    69  	fi
    70  
    71  	# Remove the path and only keep host and port
    72  	noschema="${noschema%%/*}"
    73  	host="${noschema%%:*}"
    74  	port="${noschema##*:}"
    75  
    76  	# Add the port if was implicit
    77  	if [[ "$port" == "$host" ]]; then
    78  		port='443'
    79  	fi
    80  
    81  	# Get the SAN fields
    82  	openssl s_client -showcerts -servername "$host" -connect "$host:$port" </dev/null 2>/dev/null \
    83  		| openssl x509 -noout -ext subjectAltName \
    84  		> "$san"
    85  
    86  	# openssl returns the empty string if no SAN is found.
    87  	# If a SAN is found, openssl is expected to return something like:
    88  	#
    89  	#    X509v3 Subject Alternative Name:
    90  	#        DNS:standalone, DNS:osp1, IP Address:192.168.2.1, IP Address:10.254.1.2
    91  	if [[ "$(grep -c "Subject Alternative Name" "$san" || true)" -gt 0 ]]; then
    92  		echo "PASS: $name $interface $url"
    93  	else
    94  		invalid=$((invalid+1))
    95  		echo "INVALID: $name $interface $url"
    96  	fi
    97  done < "$catalog"
    98  
    99  # clean up temporary files
   100  rm "$catalog" "$san"
   101  
   102  if [[ $invalid -gt 0 ]]; then
   103  	echo "${invalid} legacy certificates were detected. Update your certificates to include a SAN field."
   104  	exit 1
   105  else
   106  	echo "All HTTPS certificates for this cloud are valid."
   107  fi
   108  ```
   109  
   110  In case the script reports INVALID certificates, they will have to be replaced with formally valid certificates (containing SAN fields for the server) before installing or upgrading to OpenShift v4.10.
   111  
   112  ## Legacy certificates
   113  
   114  The [OpenShift v4.6 release notes][4.6-release-notes] warned about the deprecation in OpenShift of HTTPS certificates exposing the protected names in the CommonName field. With v4.10, this deprecation is enforced in the clusters. HTTPS certificates must now use the `Subject Alternative Names` fields or be rejected.
   115  
   116  [openstack-cli]: https://docs.openstack.org/python-openstackclient/latest/ "OpenStackClient (aka OSC) is a command-line client for OpenStack that brings the command set for Compute, Identity, Image, Object Storage and Block Storage APIs together in a single shell with a uniform command structure"
   117  [jq]: https://stedolan.github.io/jq/ "jq is a lightweight and flexible command-line JSON processor."
   118  [openssl]: https://www.openssl.org/ "Cryptography and SSL/TLS Toolkit "
   119  [4.6-release-notes]: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-tls-common-name "OpenShift Container Platform 4.6 release notes"