Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN

OS_CACERT was being added directly to the environment rather
than usercc_early. This caused an untrusted CA error to be
thrown.

Ensure that SERVICE_HOST is in the Subject Alt. Names of the
issued TLS server cert. The gate sets it to 127.0.0.1 which
wasn't being handled. Only the FQDN of the host and actual
IP address of the machine were being added.

Change-Id: I8a91dffe1a5263d2bcc99ea406a8556045b52be2

lib/tls

@@ -257,6 +257,14 @@ function make_cert {
     local common_name=$3
     local alt_names=$4
 
+    if [ "$common_name" != "$SERVICE_HOST" ]; then
+        if [[ -z "$alt_names" ]]; then
+            alt_names="DNS:$SERVICE_HOST"
+        else
+            alt_names="$alt_names,DNS:$SERVICE_HOST"
+        fi
+    fi
+
     # Only generate the certificate if it doesn't exist yet on the disk
     if [ ! -r "$ca_dir/$cert_name.crt" ]; then
         # Generate a signing request

stack.sh

@@ -1004,10 +1004,6 @@ if is_service_enabled keystone; then
         bootstrap_keystone
     fi
 
-    if is_service_enabled tls-proxy; then
-        export OS_CACERT=$INT_CA_DIR/ca-chain.pem
-    fi
-
     # Rather than just export these, we write them out to a
     # intermediate userrc file that can also be used to debug if
     # something goes wrong between here and running
@@ -1028,6 +1024,10 @@ export OS_REGION_NAME=$REGION_NAME
 
 EOF
 
+    if is_service_enabled tls-proxy; then
+        echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
+    fi
+
     source $TOP_DIR/userrc_early
 
     create_keystone_accounts