CLI can't connect with SSL when IP SAN is used

Description

Customer took the following steps:

  • Create Cloudify manager (non-SSL)

  • Create a CSR for the manager, in the subjectAlternativeNames section include:

  • Get that CSR signed by a CA

  • Install the certificate and key into the cloudify manager (/etc/cloudify/ssl/external_*.cer)

  • Enable SSL on the cloudify manager (cfy ssl enable)

At this stage, you won't be able to connect to the cloudify manager without --skip-validation.

  • Create a profile with the CA certificate as the rest_public_certificate

  • Note that this fails as "the rest_public_certificate does not match the server's certificate"

The problem seems to have gone away when the ipaddress Python package was added to the CLI's virtualenv.

Steps to Reproduce

add steps to reproduce

Why Propose Close?

None

Activity

Show:
Isaac Shabtay
March 8, 2018, 1:57 PM


Having trouble reproducing it. Even without ipaddress installed, I'm able to use SSL with a cert that has SAN.
I'll contact the originating customer to find out what I'm missing.

Isaac Shabtay
March 24, 2018, 7:40 PM

Can't reproduce this.

Isaac Shabtay
March 30, 2018, 12:40 AM

Was able to reproduce this after customer's clarification:

1. Cert CNF file has both a DNS and an IP address
2. "cfy profiles use" is provided with the IP address

Apparently this problem has to do with: https://github.com/shazow/urllib3/blob/master/urllib3/packages/ssl_match_hostname/_implementation.py#L9

Isaac Shabtay
March 30, 2018, 12:42 AM
Done

Assignee

Unassigned

Reporter

Isaac Shabtay

Labels

Severity

High

Target Version

4.4

Premium Only

no

Found In Version

4.3

QA Owner

Lital Hamami

Bug Type

None

Customer Encountered

None

Customer Name

None

Release Notes

None

Priority

None

Epic Link

Sprint

None

Priority

Unprioritized
Configure