Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-17779

Fuse console client auth fails when multiple cert authorities are present in jolokia caCert file

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • fuse-7.11-GA
    • fuse-7.4-GA
    • Fuse Console, Hawtio
    • None
    • False
    • False
    • % %
    • Todo
    • Hide

      Use a configmap to mount a new CA cert file with only the single trusted CA, and configure Jolokia to use that file instead via an environment variable

      name: AB_JOLOKIA_OPTS
      value: caCert=/path/to/custom-service-ca.crt

      Show
      Use a configmap to mount a new CA cert file with only the single trusted CA, and configure Jolokia to use that file instead via an environment variable name: AB_JOLOKIA_OPTS value: caCert=/path/to/custom-service-ca.crt

    Description

      The Jolokia process uses the caCert parameter to determine which client certificates are trusted for client authentication. Jolokia expects a single cert in the following location:

      $ oc rsh $APP_POD cat /opt/jolokia/etc/jolokia.properties | egrep "useSsl|caCert"
useSslClientAuthentication=true
caCert=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt

      If multiple CA certs are present in that location, and the signer of the Fuse Console client cert is not first in the list, client authentication will fail with a PKIX path building error. The expected CA cert is the service serving signer cert:

      $ oc exec $APP_POD -- cat /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt | openssl x509 -text -noout | grep Issuer
Issuer: CN = openshift-service-serving-signer@1636040859

      In some cases, multiple certs are present and Jolokia only trusts the first in the list, for example:

       Issuer:  CN=kube-apiserver-lb-signer, OU=openshift

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-21742 New Fuse Console deployments don't work after yearly "openshift-service-serving-signer" certificate rotation.

          • Critical - To be worked on immediately following BLOCKER issues.
          • Done

          Activity

            People

              mmelko@redhat.com Matej Melko
              rhn-support-shiggs Stephen Higgs
              Juri Solovjov Juri Solovjov
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: