HAProxy routes stop working when invalid cert/key is uploaded for any of route

[jpechane]

If a user misconfigures SSL for one of its routes then HAProxy stops completely serving all routes with message in log
2015-04-13T05:04:55.840373604Z [ALERT] 102/010455 (9097) : Fatal errors found in configuration.
2015-04-13T05:05:43.460748843Z E0413 01:05:43.460661 1 router.go:126] Error reloading router: exit status 1
2015-04-13T05:05:43.460748843Z Reload output: + config_file=/var/lib/haproxy/conf/haproxy.config
2015-04-13T05:05:43.460748843Z + pid_file=/var/lib/haproxy/run/haproxy.pid
2015-04-13T05:05:43.460748843Z + old_pid=
2015-04-13T05:05:43.460748843Z + '[' -f /var/lib/haproxy/run/haproxy.pid ']'
2015-04-13T05:05:43.460748843Z + old_pid=6061
2015-04-13T05:05:43.460748843Z + '[' -n 6061 ']'
2015-04-13T05:05:43.460748843Z + /usr/sbin/haproxy -f /var/lib/haproxy/conf/haproxy.config -p /var/lib/haproxy/run/haproxy.pid -sf 6061
2015-04-13T05:05:43.460748843Z [ALERT] 102/010543 (9100) : parsing [/var/lib/haproxy/conf/haproxy.config:66] : 'bind 127.0.0.1:10444' : inconsistencies between private key and certificate loaded from PEM file '/var/lib/containers/router/certs/ws.cloudapps.example.com.pem'.
2015-04-13T05:05:43.460748843Z [ALERT] 102/010543 (9100) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
2015-04-13T05:05:43.460748843Z [WARNING] 102/010543 (9100) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
2015-04-13T05:05:43.460748843Z [ALERT] 102/010543 (9100) : Fatal errors found in configuration.

Albeit all routes were remove the message still appears in the log.

I see two problems right now

1. One route problem shuts down all routes
2. The cert files are not removed after route removal

If I remove the offending file form container then it starts working again

[brenton]

@abhgupta could someone on the runtime team look into this?

[abhgupta]

@pweil- Can you please take a look at this?

[pweil-]

Yes, I'll take a look to see what kind of validations we can put in place.

[pweil-]

Status update: there are two issues here:

1. Delete was left as a TODO - I have refactored the cert manager (so it is testable by injecting a real or fake writer), written unit tests, and implemented the delete functionality today. Just waiting on [BZ-1212362] - routes using same service produce duplicate named backends #1786 to be merged so I can rebase and submit, I used the new, guaranteed unique key as the file name for deletes (files will be named -.pem)
2. The certificates are not validated by the api - I am working on what we can put into place for this.

[pweil-]

PR for item 1 above: #1817

[pweil-]

PR for item 2 above: #1824

[danmcp]

Closing in favor of remaining PR: #1824

[karamfil]

Hello,

Has this been fixed? And in what version?

Thanks!