Can't login to the UI with SSL when using Firefox

Looking at the comments on undercloud.conf, the new CA authority cert is created at /etc/pki/ca-trust/source/anchors/cm-local-ca.pem so theoretically adding it to the list of trusted CA in Firefox should be sufficient. Unfortunately I'm getting a new error after doing this - SEC_ERROR_EXTENSION_VALUE_INVALID, need to investigate a little bit more.

Another option could be to accept self-signed certificates from the UI itself, when the undercloud was installed with SSL and 'local' as a certificate_generation_ca. This is something we could pick up on during the install, and set appropriately from puppet inside the config file. Not entirely sure if the way we contact the different APIs would let us do this though, I'm not familiar enough with that code.

First that comes to mind is why using ssl when the certificates end up being self signed.

There appears to be 'rejectUnauthorized' option in server side oriented libraries which handle xmlhttp requests. We currently use reqwest [1] library for handling ajax calls which seems not to provide any of such options (and by looking at other tools such as Fetch it does not seem that it is available anywhere else), but even if such option was available, it would have to be tied to a development environment only.

By doing some investigation, I see there is an option in firefox (an most probably in other browsers too) which allow to automatically accept invalid ssl certificates ([2]) this is obviously very insecure, but it imho matches the insecurity of using self-signed certificates.

I'd probably favor not enabling ssl for installing undercloud for testing purposes. If testing ssl and GUI at once, then mentioned browser option should be probably used.

[1] https://www.npmjs.com/package/reqwest
[2] http://stackoverflow.com/questions/20088/is-there-a-way-to-make-firefox-ignore-invalid-ssl-certificates

Additional links:
http://stackoverflow.com/questions/30902547/websocket-ssl-connection
http://stackoverflow.com/questions/32892161/ignore-errors-for-self-signed-ssl-certs-using-the-fetch-api-in-a-reactnative-app/36368360#36368360

SSL must be enabled for UI to work, since enabling SSL brings in haproxy which we then use to proxy requests to the services which UI calls upon. Agreed, however, that the assumption that using self-signed certificates also means assuming the user knows how to configure their environment (in this case, the browser) to use this self signed certificate. I know that's a difficult line to take but it would also turn people more towards using legitimate SSL certificates from vendors such as LetsEncrypt or using their existing CA infrastructure.

I had suspected that including either/or the root CA or intermediate from the certmonger 'local' CA store we could drop clues to Firefox to tell it how to verify the self-signed certificate but using the CA (/etc/pki/ca-trust/source/anchors/cm-local-ca.pem) would work, but my tests didn't seem to indicate this would work.

Subscribing Juan Antonio Osorio since he knows SSL ins and outs very well and should be able to provide some excellent feedback and options.

Fix proposed to branch: master
Review: https://review.openstack.org/394793

Did a lot more investigation in to this. Turns out, even with the CA used by certmonger (/etc/pki/ca-trust/source/anchors/cm-local-ca.pem) imported in to Firefox, we still see exceptions when connecting to SSL endpoints on nonstandard HTTP ports (e.g. anything not :443). That has to do with:

https://bugzilla.mozilla.org/show_bug.cgi?id=700837

It doesn't appear that they're too interested in changing this behavior, either.

The only way I was able to make the UI work in Firefox is by allowing exceptions to each endpoint that UI would communicate with. This is preformed via Options -> Preferences -> Advanced -> View Certificates -> Server, clicking the "Add Exception" button on the bottom, and adding an exception for each of:

http://<undercloud>:13000
http://<undercloud>:13004
http://<undercloud>:13385
http://<undercloud>:13989
http://<undercloud>:13808
http://<undercloud>:9000

Reviewed: https://review.openstack.org/394793
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=ffd7040a6dcfda59a6768fbe481aba332133e83a
Submitter: Jenkins
Branch: master

commit ffd7040a6dcfda59a6768fbe481aba332133e83a
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Tue Nov 8 09:05:12 2016 +0200

    Include local CA in haproxy PEM

    In order for the browser to trust the certificate served by HAProxy
    we need to include the CA cert in the PEM file that the endpoints
    serve.

    Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417
    Closes-Bug: #1639807

This issue was fixed in the openstack/puppet-tripleo 6.1.0 release.

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/478310

Reviewed: https://review.openstack.org/478310
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=57c4a526445144b6d006abbcc1b206b0a6f8403b
Submitter: Jenkins
Branch: stable/newton

commit 57c4a526445144b6d006abbcc1b206b0a6f8403b
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Tue Nov 8 09:05:12 2016 +0200

    Include local CA in haproxy PEM

    In order for the browser to trust the certificate served by HAProxy
    we need to include the CA cert in the PEM file that the endpoints
    serve.

    Change-Id: Ibce76c1aa04bd3cb09a804c6e9789c55d8f2b417
    Closes-Bug: #1639807
    (cherry picked from commit ffd7040a6dcfda59a6768fbe481aba332133e83a)

This issue was fixed in the openstack/puppet-tripleo 5.6.1 release.