Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Existing certificates not updated to include HostAlias #359

Closed
ebaron opened this issue Mar 31, 2022 · 1 comment · Fixed by #360
Closed

Existing certificates not updated to include HostAlias #359

ebaron opened this issue Mar 31, 2022 · 1 comment · Fixed by #360
Assignees
@ebaron
Milestone
2.1.0

Comments

@ebaron
Copy link
Member

ebaron commented Mar 31, 2022

If the user has already deployed Cryostat and updates to an operator image containing #352, the existing certificate will not be updated to include the new HostAlias SAN. This results in the following error in Cryostat:

Mar 31, 2022 5:02:00 PM io.cryostat.core.log.Logger warn
WARNING: Exception thrown
java.io.IOException: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
	at io.cryostat.net.web.http.generic.HealthGetHandler.lambda$checkUri$0(HealthGetHandler.java:170)
	at io.vertx.ext.web.client.impl.HttpContext.handleFailure(HttpContext.java:309)
	at io.vertx.ext.web.client.impl.HttpContext.execute(HttpContext.java:303)
	at io.vertx.ext.web.client.impl.HttpContext.next(HttpContext.java:275)
	at io.vertx.ext.web.client.impl.predicate.PredicateInterceptor.handle(PredicateInterceptor.java:70)
	at io.vertx.ext.web.client.impl.predicate.PredicateInterceptor.handle(PredicateInterceptor.java:32)
	at io.vertx.ext.web.client.impl.HttpContext.next(HttpContext.java:272)
	at io.vertx.ext.web.client.impl.HttpContext.fire(HttpContext.java:282)
	at io.vertx.ext.web.client.impl.HttpContext.fail(HttpContext.java:262)
	at io.vertx.ext.web.client.impl.HttpContext.lambda$handleSendRequest$7(HttpContext.java:422)
	at io.vertx.core.impl.FutureImpl.tryFail(FutureImpl.java:195)
	at io.vertx.ext.web.client.impl.HttpContext.lambda$handleSendRequest$15(HttpContext.java:518)
	at io.vertx.core.http.impl.HttpClientRequestBase.handleException(HttpClientRequestBase.java:133)
	at io.vertx.core.http.impl.HttpClientRequestImpl.handleException(HttpClientRequestImpl.java:371)
	at io.vertx.core.http.impl.HttpClientRequestImpl.lambda$null$6(HttpClientRequestImpl.java:473)
	at io.vertx.core.impl.ContextImpl.executeTask(ContextImpl.java:366)
	at io.vertx.core.impl.EventLoopContext.execute(EventLoopContext.java:43)
	at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:229)
	at io.vertx.core.impl.ContextImpl.executeFromIO(ContextImpl.java:221)
	at io.vertx.core.http.impl.HttpClientRequestImpl.lambda$connect$7(HttpClientRequestImpl.java:472)
	at io.vertx.core.http.impl.HttpClientImpl.lambda$getConnectionForRequest$4(HttpClientImpl.java:1048)
	at io.vertx.core.http.impl.ConnectionManager.lambda$getConnection$7(ConnectionManager.java:159)
	at io.vertx.core.http.impl.pool.Pool.connectFailed(Pool.java:397)
	at io.vertx.core.http.impl.pool.Pool.access$600(Pool.java:89)
	at io.vertx.core.http.impl.pool.Pool$Holder.lambda$connect$0(Pool.java:129)
	at io.vertx.core.impl.FutureImpl.tryFail(FutureImpl.java:195)
	at io.vertx.core.http.impl.HttpChannelConnector.connectFailed(HttpChannelConnector.java:255)
	at io.vertx.core.http.impl.HttpChannelConnector.lambda$doConnect$0(HttpChannelConnector.java:164)
	at io.vertx.core.net.impl.ChannelProvider.lambda$connect$1(ChannelProvider.java:78)
	at io.vertx.core.net.impl.ChannelProvider$1.userEventTriggered(ChannelProvider.java:117)
	at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:346)
	at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:332)
	at io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:324)
	at io.netty.handler.ssl.SslHandler.handleUnwrapThrowable(SslHandler.java:1260)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1241)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1285)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
	at io.vertx.core.net.impl.ChannelProvider$1.userEventTriggered(ChannelProvider.java:115)
	... 25 more
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching cryostat-health.local found.
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1549)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1236)
	... 20 more
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching cryostat-health.local found.
	at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
	at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:415)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
	... 31 more

Related to: #294
@ebaron ebaron added this to the 2.1.0 milestone Mar 31, 2022
@ebaron ebaron self-assigned this Mar 31, 2022
@ebaron
Copy link
Member Author

ebaron commented Mar 31, 2022

To see this behaviour:

make deploy IMG=quay.io/ebaron/cryostat-operator:before-352
make create_cryostat_cr
<wait for cryostat-sample-grafana-tls secret to be created>
kubectl patch deploy cryostat-operator-controller-manager -p \
'{"spec":{ "template": {"spec": {"containers": [{"name": "manager", "image": "quay.io/ebaron/cryostat-operator:after-352"}]}}}}'

@ebaron ebaron mentioned this issue Mar 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ebaron ebaron

Labels
None yet
Projects
None yet
Milestone
2.1.0
Development

Successfully merging a pull request may close this issue.

fix(tls): update existing certificates ebaron/cryostat-operator
1 participant
@ebaron