Issue with self-signed TLS certificates

name: Bug report
about: Create a report to help us improve

If you believe your bug report is a security issue (e.g. a packet that can kill the server), DO NOT REPORT IT HERE. Please use https://www.isc.org/community/report-bug/ instead or send mail to security-office(at)isc(dot)org.

Describe the bug I'm using stork as part of a managed environment with Red Hat's IDM (FreeIPA) handling certificate for the internal network. Using self-signed certificates with Stork does not allow TLS connections with web browsers. Using the same certificates with other applications on the same server works. Hostnames/domain names changed to protect the innocent.

To Reproduce Steps to reproduce the behavior:

1. Using Kea, Bind9 and Stork:
   1. isc-stork-agent.x86_64 - 0.17.0.210507080500-1
   2. isc-stork-server.x86_64 - 0.17.0.210507080500-1
   3. kea.x86_64 - 1.9.4-1.fc34
   4. bind.x86_64 - 32:9.16.15-1.fc34
2. Generate a self signed certificate. I'm using Red Hat's Dogtag / IDM system to generate the certificates instructions: https://blog.christophersmart.com/2014/08/24/creating-certs-and-keys-for-services-using-freeipa-dogtag/
3. Configure the Stork server:

# database settings
STORK_DATABASE_HOST=localhost
STORK_DATABASE_PORT=5432
STORK_DATABASE_NAME=stork
STORK_DATABASE_USER_NAME=stork
# empty password is set to avoid prompting user for password to database
STORK_DATABASE_PASSWORD="<redacted>"

# ReST API settings
STORK_REST_HOST=192.168.1.2
STORK_REST_PORT=8067
STORK_REST_TLS_CERTIFICATE=/etc/stork/stork.pem
STORK_REST_TLS_PRIVATE_KEY=/etc/stork/tork.key
STORK_REST_TLS_CA_CERTIFICATE=/usr/share/ipa/html/ca.crt
STORK_REST_STATIC_FILES_DIR=/usr/share/stork/www

5. Stork starts normally, but returns an certificate error when attempting to open the website.
6. curl -vvv https://192.168.1.2 display the following:

$ curl -vvv https://ipa-01.example.com:8067
*   Trying 192.168.1.2:8067...
* Connected to ipa-01.example.com (192.168.1.2) port 8067 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: O=EXAMPLE.COM; CN=ipa-01.example.com
*  start date: May  3 01:42:46 2021 GMT
*  expire date: May  4 01:42:46 2023 GMT
*  subjectAltName: host "ipa-01.example.com" matched cert's "ipa-01.example.com"
*  issuer: O=EXAMPLE.COM; CN=Certificate Authority
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* OpenSSL SSL_write: Broken pipe, errno 32
* Failed sending HTTP2 data
* Connection #0 to host ipa-01.example.com left intact
curl: (16) OpenSSL SSL_write: Broken pipe, errno 32

7. The same certificates on the same server produce no errors when used with another application (prometheus): $ curl -vvv https://ipa-01.example.com:9000/metrics

• Trying 192.168.1.2:9000...
• Connected to ipa-01.example.com (192.168.1.2) port 9000 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
• CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: O=EXAMPLE.COM; CN=ipa-01.example.com
• start date: May 3 01:42:46 2021 GMT
• expire date: May 4 01:42:46 2023 GMT
• subjectAltName: host "ipa-01.example.com" matched cert's "ipa-01.example.com"
• issuer: O=EXAMPLE.COM; CN=Certificate Authority
• SSL certificate verify ok.

GET /metrics HTTP/1.1 Host: ipa-01.example.com:9000 User-Agent: curl/7.76.1 Accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Content-Type: text/plain; version=0.0.4; charset=utf-8 < Date: Tue, 11 May 2021 16:03:10 GMT < Transfer-Encoding: chunked <

HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.

TYPE go_gc_duration_seconds summary

go_gc_duration_seconds{quantile="0"} 3.5531e-05 go_gc_duration_seconds{quantile="0.25"} 0.000102564 go_gc_duration_seconds{quantile="0.5"} 0.00013617 go_gc_duration_seconds{quantile="0.75"} 0.000168258 go_gc_duration_seconds{quantile="1"} 0.000635662 go_gc_duration_seconds_sum 0.146570868 go_gc_duration_seconds_count 1063

Expected behavior Secured TLS connections with Stork.

Environment:

• OS Fedora 34 and RHEL 8.3
• isc-stork-agent.x86_64 - 0.17.0.210507080500-1
• isc-stork-server.x86_64 - 0.17.0.210507080500-1
• kea.x86_64 - 1.9.4-1.fc34
• bind.x86_64 - 32:9.16.15-1.fc34

Stork is from the official repositories

Additional Information Kea is working as expected, as is named/bind9. I have not tested certificates with a full subject. I can easily regenerate the certificate with the full subject if required.

Describe the solution you'd like Self signed certificates to work with stork