Skip to content

Commit be00e95

Browse files
committed
Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN
OS_CACERT was being added directly to the environment rather than usercc_early. This caused an untrusted CA error to be thrown. Ensure that SERVICE_HOST is in the Subject Alt. Names of the issued TLS server cert. The gate sets it to 127.0.0.1 which wasn't being handled. Only the FQDN of the host and actual IP address of the machine were being added. Change-Id: I8a91dffe1a5263d2bcc99ea406a8556045b52be2
1 parent 11b111f commit be00e95

2 files changed

Lines changed: 12 additions & 4 deletions

File tree

lib/tls

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -257,6 +257,14 @@ function make_cert {
257257
local common_name=$3
258258
local alt_names=$4
259259

260+
if [ "$common_name" != "$SERVICE_HOST" ]; then
261+
if [[ -z "$alt_names" ]]; then
262+
alt_names="DNS:$SERVICE_HOST"
263+
else
264+
alt_names="$alt_names,DNS:$SERVICE_HOST"
265+
fi
266+
fi
267+
260268
# Only generate the certificate if it doesn't exist yet on the disk
261269
if [ ! -r "$ca_dir/$cert_name.crt" ]; then
262270
# Generate a signing request

stack.sh

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1004,10 +1004,6 @@ if is_service_enabled keystone; then
10041004
bootstrap_keystone
10051005
fi
10061006

1007-
if is_service_enabled tls-proxy; then
1008-
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
1009-
fi
1010-
10111007
# Rather than just export these, we write them out to a
10121008
# intermediate userrc file that can also be used to debug if
10131009
# something goes wrong between here and running
@@ -1028,6 +1024,10 @@ export OS_REGION_NAME=$REGION_NAME
10281024
10291025
EOF
10301026

1027+
if is_service_enabled tls-proxy; then
1028+
echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
1029+
fi
1030+
10311031
source $TOP_DIR/userrc_early
10321032

10331033
create_keystone_accounts

0 commit comments

Comments
 (0)